more upstream merging
This commit is contained in:
parent
a47ea60ca9
commit
cff75c90ca
@ -28,151 +28,171 @@
|
|||||||
## </param>
|
## </param>
|
||||||
#
|
#
|
||||||
template(`su_per_userdomain_template',`
|
template(`su_per_userdomain_template',`
|
||||||
|
# in optional since loadable modules do not natively
|
||||||
|
# support per-userdomain templates yet.
|
||||||
|
optional_policy(`su.te',`
|
||||||
|
gen_require(`
|
||||||
|
type su_exec_t;
|
||||||
|
')
|
||||||
|
|
||||||
gen_require(`
|
type $1_su_t;
|
||||||
type su_exec_t;
|
domain_entry_file($1_su_t,su_exec_t)
|
||||||
|
domain_type($1_su_t)
|
||||||
|
domain_role_change_exempt($1_su_t)
|
||||||
|
domain_subj_id_change_exempt($1_su_t)
|
||||||
|
domain_obj_id_change_exempt($1_su_t)
|
||||||
|
domain_wide_inherit_fd($1_su_t)
|
||||||
|
role $3 types $1_su_t;
|
||||||
|
|
||||||
|
allow $2 $1_su_t:process signal;
|
||||||
|
|
||||||
|
allow $1_su_t self:capability { audit_control setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
|
||||||
|
dontaudit $1_su_t self:capability sys_tty_config;
|
||||||
|
allow $1_su_t self:process { setexec setsched setrlimit };
|
||||||
|
allow $1_su_t self:fifo_file rw_file_perms;
|
||||||
|
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
|
||||||
|
|
||||||
|
# Transition from the user domain to this domain.
|
||||||
|
domain_auto_trans($2, su_exec_t, $1_su_t)
|
||||||
|
allow $2 $1_su_t:fd use;
|
||||||
|
allow $1_su_t $2:fd use;
|
||||||
|
allow $1_su_t $2:fifo_file rw_file_perms;
|
||||||
|
allow $1_su_t $2:process sigchld;
|
||||||
|
|
||||||
|
# By default, revert to the calling domain when a shell is executed.
|
||||||
|
corecmd_shell_domtrans($1_su_t,$2)
|
||||||
|
allow $2 $1_su_t:fd use;
|
||||||
|
allow $1_su_t $2:fd use;
|
||||||
|
allow $1_su_t $2:fifo_file rw_file_perms;
|
||||||
|
allow $1_su_t $2:process sigchld;
|
||||||
|
|
||||||
|
kernel_read_system_state($1_su_t)
|
||||||
|
kernel_read_kernel_sysctl($1_su_t)
|
||||||
|
|
||||||
|
# for SSP
|
||||||
|
dev_read_urand($1_su_t)
|
||||||
|
|
||||||
|
fs_search_auto_mountpoints($1_su_t)
|
||||||
|
|
||||||
|
selinux_get_fs_mount($1_su_t)
|
||||||
|
selinux_validate_context($1_su_t)
|
||||||
|
selinux_compute_access_vector($1_su_t)
|
||||||
|
selinux_compute_create_context($1_su_t)
|
||||||
|
selinux_compute_relabel_context($1_su_t)
|
||||||
|
selinux_compute_user_contexts($1_su_t)
|
||||||
|
|
||||||
|
# Relabel ttys and ptys.
|
||||||
|
term_relabel_all_user_ttys($1_su_t)
|
||||||
|
term_relabel_all_user_ptys($1_su_t)
|
||||||
|
# Close and re-open ttys and ptys to get the fd into the correct domain.
|
||||||
|
term_use_all_user_ttys($1_su_t)
|
||||||
|
term_use_all_user_ptys($1_su_t)
|
||||||
|
|
||||||
|
auth_domtrans_user_chk_passwd($1_su_t,$1)
|
||||||
|
auth_dontaudit_read_shadow($1_su_t)
|
||||||
|
|
||||||
|
domain_wide_inherit_fd($1_su_t)
|
||||||
|
|
||||||
|
files_read_etc_files($1_su_t)
|
||||||
|
files_search_var_lib($1_su_t)
|
||||||
|
|
||||||
|
init_dontaudit_use_fd($1_su_t)
|
||||||
|
# Write to utmp.
|
||||||
|
init_rw_script_pid($1_su_t)
|
||||||
|
|
||||||
|
libs_use_ld_so($1_su_t)
|
||||||
|
libs_use_shared_libs($1_su_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg($1_su_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization($1_su_t)
|
||||||
|
|
||||||
|
seutil_read_config($1_su_t)
|
||||||
|
seutil_read_default_contexts($1_su_t)
|
||||||
|
|
||||||
|
userdom_use_user_terminals($1,$1_su_t)
|
||||||
|
|
||||||
|
if(secure_mode)
|
||||||
|
{
|
||||||
|
# Only allow transitions to unprivileged user domains.
|
||||||
|
userdom_spec_domtrans_unpriv_users($1_su_t)
|
||||||
|
} else {
|
||||||
|
# Allow transitions to all user domains
|
||||||
|
userdom_spec_domtrans_all_users($1_su_t)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (use_nfs_home_dirs) {
|
||||||
|
fs_search_nfs($1_su_t)
|
||||||
|
}
|
||||||
|
|
||||||
|
if (use_samba_home_dirs) {
|
||||||
|
fs_search_cifs($1_su_t)
|
||||||
|
}
|
||||||
|
|
||||||
|
optional_policy(`crond.te',`
|
||||||
|
cron_read_pipe($1_su_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`kerberos.te',`
|
||||||
|
kerberos_use($1_su_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nis.te',`
|
||||||
|
nis_use_ypbind($1_su_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nscd.te',`
|
||||||
|
nscd_use_socket($1_su_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
|
||||||
|
ifdef(`support_polyinstantiation', `
|
||||||
|
typeattribute $1_su_t mlsfileread;
|
||||||
|
typeattribute $1_su_t mlsfilewrite;
|
||||||
|
typeattribute $1_su_t mlsfileupgrade;
|
||||||
|
typeattribute $1_su_t mlsfiledowngrade;
|
||||||
|
typeattribute $1_su_t mlsprocsetsl;
|
||||||
|
# Su can polyinstantiate
|
||||||
|
polyinstantiater($1_su_t)
|
||||||
|
# Su has to unmount polyinstantiated directories (like home)
|
||||||
|
# that should not be polyinstantiated under the new user
|
||||||
|
allow $1_su_t fs_t:filesystem unmount;
|
||||||
|
# Su needs additional permission to mount over a previous mount
|
||||||
|
allow $1_su_t polymember:dir mounton;
|
||||||
|
')
|
||||||
|
|
||||||
|
# Caused by su - init scripts
|
||||||
|
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
|
||||||
|
|
||||||
|
# Inherit and use descriptors from gnome-pty-helper.
|
||||||
|
ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
|
||||||
|
|
||||||
|
allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
|
||||||
|
allow $1_su_t $1_home_t:file create_file_perms;
|
||||||
|
|
||||||
|
ifdef(`user_canbe_sysadm', `
|
||||||
|
allow $1_su_t home_dir_type:dir { search write };
|
||||||
|
', `
|
||||||
|
dontaudit $1_su_t home_dir_type:dir { search write };
|
||||||
|
')
|
||||||
|
|
||||||
|
# Modify .Xauthority file (via xauth program).
|
||||||
|
ifdef(`xauth.te', `
|
||||||
|
file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
|
||||||
|
file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
|
||||||
|
file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
|
||||||
|
domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`cyrus.te', `
|
||||||
|
allow $1_su_t cyrus_var_lib_t:dir search;
|
||||||
|
')
|
||||||
|
ifdef(`ssh.te', `
|
||||||
|
# Access sshd cookie files.
|
||||||
|
allow $1_su_t sshd_tmp_t:file rw_file_perms;
|
||||||
|
file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
|
||||||
|
')
|
||||||
|
') dnl end TODO
|
||||||
')
|
')
|
||||||
|
|
||||||
type $1_su_t;
|
|
||||||
domain_entry_file($1_su_t,su_exec_t)
|
|
||||||
domain_type($1_su_t)
|
|
||||||
domain_role_change_exempt($1_su_t)
|
|
||||||
domain_subj_id_change_exempt($1_su_t)
|
|
||||||
domain_obj_id_change_exempt($1_su_t)
|
|
||||||
domain_wide_inherit_fd($1_su_t)
|
|
||||||
role $3 types $1_su_t;
|
|
||||||
|
|
||||||
allow $2 $1_su_t:process signal;
|
|
||||||
|
|
||||||
allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
|
|
||||||
dontaudit $1_su_t self:capability sys_tty_config;
|
|
||||||
allow $1_su_t self:process { setexec setsched setrlimit };
|
|
||||||
allow $1_su_t self:fifo_file rw_file_perms;
|
|
||||||
|
|
||||||
# Transition from the user domain to this domain.
|
|
||||||
domain_auto_trans($2, su_exec_t, $1_su_t)
|
|
||||||
allow $2 $1_su_t:fd use;
|
|
||||||
allow $1_su_t $2:fd use;
|
|
||||||
allow $1_su_t $2:fifo_file rw_file_perms;
|
|
||||||
allow $1_su_t $2:process sigchld;
|
|
||||||
|
|
||||||
# By default, revert to the calling domain when a shell is executed.
|
|
||||||
corecmd_shell_domtrans($1_su_t,$2)
|
|
||||||
allow $2 $1_su_t:fd use;
|
|
||||||
allow $1_su_t $2:fd use;
|
|
||||||
allow $1_su_t $2:fifo_file rw_file_perms;
|
|
||||||
allow $1_su_t $2:process sigchld;
|
|
||||||
|
|
||||||
kernel_read_system_state($1_su_t)
|
|
||||||
kernel_read_kernel_sysctl($1_su_t)
|
|
||||||
|
|
||||||
# for SSP
|
|
||||||
dev_read_urand($1_su_t)
|
|
||||||
|
|
||||||
fs_search_auto_mountpoints($1_su_t)
|
|
||||||
|
|
||||||
selinux_get_fs_mount($1_su_t)
|
|
||||||
selinux_validate_context($1_su_t)
|
|
||||||
selinux_compute_access_vector($1_su_t)
|
|
||||||
selinux_compute_create_context($1_su_t)
|
|
||||||
selinux_compute_relabel_context($1_su_t)
|
|
||||||
selinux_compute_user_contexts($1_su_t)
|
|
||||||
|
|
||||||
# Relabel ttys and ptys.
|
|
||||||
term_relabel_all_user_ttys($1_su_t)
|
|
||||||
term_relabel_all_user_ptys($1_su_t)
|
|
||||||
# Close and re-open ttys and ptys to get the fd into the correct domain.
|
|
||||||
term_use_all_user_ttys($1_su_t)
|
|
||||||
term_use_all_user_ptys($1_su_t)
|
|
||||||
|
|
||||||
auth_domtrans_user_chk_passwd($1_su_t,$1)
|
|
||||||
auth_dontaudit_read_shadow($1_su_t)
|
|
||||||
|
|
||||||
domain_wide_inherit_fd($1_su_t)
|
|
||||||
|
|
||||||
files_read_etc_files($1_su_t)
|
|
||||||
files_search_var_lib($1_su_t)
|
|
||||||
|
|
||||||
init_dontaudit_use_fd($1_su_t)
|
|
||||||
# Write to utmp.
|
|
||||||
init_rw_script_pid($1_su_t)
|
|
||||||
|
|
||||||
libs_use_ld_so($1_su_t)
|
|
||||||
libs_use_shared_libs($1_su_t)
|
|
||||||
|
|
||||||
logging_send_syslog_msg($1_su_t)
|
|
||||||
|
|
||||||
miscfiles_read_localization($1_su_t)
|
|
||||||
|
|
||||||
seutil_read_config($1_su_t)
|
|
||||||
seutil_read_default_contexts($1_su_t)
|
|
||||||
|
|
||||||
userdom_use_user_terminals($1,$1_su_t)
|
|
||||||
|
|
||||||
if(secure_mode)
|
|
||||||
{
|
|
||||||
# Only allow transitions to unprivileged user domains.
|
|
||||||
userdom_spec_domtrans_unpriv_users($1_su_t)
|
|
||||||
} else {
|
|
||||||
# Allow transitions to all user domains
|
|
||||||
userdom_spec_domtrans_all_users($1_su_t)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (use_nfs_home_dirs) {
|
|
||||||
fs_search_nfs($1_su_t)
|
|
||||||
}
|
|
||||||
|
|
||||||
if (use_samba_home_dirs) {
|
|
||||||
fs_search_cifs($1_su_t)
|
|
||||||
}
|
|
||||||
|
|
||||||
optional_policy(`crond.te',`
|
|
||||||
cron_read_pipe($1_su_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`kerberos.te',`
|
|
||||||
kerberos_use($1_su_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
|
||||||
nis_use_ypbind($1_su_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`nscd.te',`
|
|
||||||
nscd_use_socket($1_su_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
ifdef(`TODO',`
|
|
||||||
# Caused by su - init scripts
|
|
||||||
dontaudit $1_su_t initrc_devpts_t:chr_file { getattr ioctl };
|
|
||||||
|
|
||||||
# Inherit and use descriptors from gnome-pty-helper.
|
|
||||||
ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
|
|
||||||
|
|
||||||
allow $1_su_t { home_root_t $1_home_dir_t }:dir search;
|
|
||||||
allow $1_su_t $1_home_t:file create_file_perms;
|
|
||||||
|
|
||||||
ifdef(`user_canbe_sysadm', `
|
|
||||||
allow $1_su_t home_dir_type:dir { search write };
|
|
||||||
', `
|
|
||||||
dontaudit $1_su_t home_dir_type:dir { search write };
|
|
||||||
')
|
|
||||||
|
|
||||||
# Modify .Xauthority file (via xauth program).
|
|
||||||
ifdef(`xauth.te', `
|
|
||||||
file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
|
|
||||||
file_type_auto_trans($1_su_t, user_home_dir_t, user_xauth_home_t, file)
|
|
||||||
file_type_auto_trans($1_su_t, sysadm_home_dir_t, sysadm_xauth_home_t, file)
|
|
||||||
domain_auto_trans($1_su_t, xauth_exec_t, $1_xauth_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
ifdef(`cyrus.te', `
|
|
||||||
allow $1_su_t cyrus_var_lib_t:dir search;
|
|
||||||
')
|
|
||||||
ifdef(`ssh.te', `
|
|
||||||
# Access sshd cookie files.
|
|
||||||
allow $1_su_t sshd_tmp_t:file rw_file_perms;
|
|
||||||
file_type_auto_trans($1_su_t, sshd_tmp_t, $1_tmp_t)
|
|
||||||
')
|
|
||||||
') dnl end TODO
|
|
||||||
')
|
')
|
||||||
|
@ -54,7 +54,7 @@ template(`sudo_per_userdomain_template',`
|
|||||||
#
|
#
|
||||||
|
|
||||||
# Use capabilities.
|
# Use capabilities.
|
||||||
allow $1_sudo_t self:capability { setuid setgid dac_override sys_resource };
|
allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_resource };
|
||||||
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||||
allow $1_sudo_t self:process { setexec setrlimit };
|
allow $1_sudo_t self:process { setexec setrlimit };
|
||||||
allow $1_sudo_t self:fd use;
|
allow $1_sudo_t self:fd use;
|
||||||
|
@ -75,7 +75,7 @@ template(`gpg_per_userdomain_template',`
|
|||||||
allow $1_gpg_t self:capability { ipc_lock setuid };
|
allow $1_gpg_t self:capability { ipc_lock setuid };
|
||||||
allow { $2 $1_gpg_t } $1_gpg_t:process signal;
|
allow { $2 $1_gpg_t } $1_gpg_t:process signal;
|
||||||
# setrlimit is for ulimit -c 0
|
# setrlimit is for ulimit -c 0
|
||||||
allow $1_gpg_t self:process { setrlimit setcap };
|
allow $1_gpg_t self:process { setrlimit setcap setpgid };
|
||||||
|
|
||||||
allow $1_gpg_t self:fifo_file rw_file_perms;
|
allow $1_gpg_t self:fifo_file rw_file_perms;
|
||||||
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
|
allow $1_gpg_t self:tcp_socket create_stream_socket_perms;
|
||||||
@ -84,9 +84,6 @@ template(`gpg_per_userdomain_template',`
|
|||||||
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
|
allow $1_gpg_t $1_gpg_secret_t:file create_file_perms;
|
||||||
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
|
allow $1_gpg_t $1_gpg_secret_t:lnk_file create_lnk_perms;
|
||||||
|
|
||||||
allow $2 $1_gpg_secret_t:file getattr;
|
|
||||||
allow $2 $1_gpg_secret_t:dir rw_dir_perms;
|
|
||||||
|
|
||||||
corenet_tcp_sendrecv_all_if($1_gpg_t)
|
corenet_tcp_sendrecv_all_if($1_gpg_t)
|
||||||
corenet_raw_sendrecv_all_if($1_gpg_t)
|
corenet_raw_sendrecv_all_if($1_gpg_t)
|
||||||
corenet_udp_sendrecv_all_if($1_gpg_t)
|
corenet_udp_sendrecv_all_if($1_gpg_t)
|
||||||
@ -97,6 +94,7 @@ template(`gpg_per_userdomain_template',`
|
|||||||
corenet_udp_sendrecv_all_ports($1_gpg_t)
|
corenet_udp_sendrecv_all_ports($1_gpg_t)
|
||||||
corenet_tcp_bind_all_nodes($1_gpg_t)
|
corenet_tcp_bind_all_nodes($1_gpg_t)
|
||||||
corenet_udp_bind_all_nodes($1_gpg_t)
|
corenet_udp_bind_all_nodes($1_gpg_t)
|
||||||
|
corenet_tcp_connect_all_ports($1_gpg_t)
|
||||||
|
|
||||||
dev_read_rand($1_gpg_t)
|
dev_read_rand($1_gpg_t)
|
||||||
dev_read_urand($1_gpg_t)
|
dev_read_urand($1_gpg_t)
|
||||||
@ -108,8 +106,6 @@ template(`gpg_per_userdomain_template',`
|
|||||||
files_read_etc_files($1_gpg_t)
|
files_read_etc_files($1_gpg_t)
|
||||||
files_read_usr_files($1_gpg_t)
|
files_read_usr_files($1_gpg_t)
|
||||||
files_dontaudit_search_var($1_gpg_t)
|
files_dontaudit_search_var($1_gpg_t)
|
||||||
# should not need read access...
|
|
||||||
files_list_home($1_gpg_t)
|
|
||||||
|
|
||||||
libs_use_shared_libs($1_gpg_t)
|
libs_use_shared_libs($1_gpg_t)
|
||||||
libs_use_ld_so($1_gpg_t)
|
libs_use_ld_so($1_gpg_t)
|
||||||
@ -122,54 +118,22 @@ template(`gpg_per_userdomain_template',`
|
|||||||
|
|
||||||
userdom_use_user_terminals($1,$1_gpg_t)
|
userdom_use_user_terminals($1,$1_gpg_t)
|
||||||
|
|
||||||
# Legacy
|
|
||||||
tunable_policy(`allow_gpg_execstack',`
|
|
||||||
allow $1_gpg_t self:process execmem;
|
|
||||||
libs_legacy_use_shared_libs($1_gpg_t)
|
|
||||||
libs_legacy_use_ld_so($1_gpg_t)
|
|
||||||
miscfiles_legacy_read_localization($1_gpg_t)
|
|
||||||
# Not quite sure why this is needed...
|
|
||||||
allow $1_gpg_t gpg_exec_t:file execmod;
|
|
||||||
')
|
|
||||||
|
|
||||||
tunable_policy(`use_nfs_home_dirs',`
|
|
||||||
fs_manage_nfs_dirs($1_gpg_t)
|
|
||||||
fs_manage_nfs_files($1_gpg_t)
|
|
||||||
fs_manage_nfs_symlinks($1_gpg_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
tunable_policy(`use_samba_home_dirs',`
|
|
||||||
fs_manage_cifs_dirs($1_gpg_t)
|
|
||||||
fs_manage_cifs_files($1_gpg_t)
|
|
||||||
fs_manage_cifs_symlinks($1_gpg_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind($1_gpg_t)
|
nis_use_ypbind($1_gpg_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
# Read content to encrypt/decrypt/sign
|
||||||
|
read_content($1_gpg_t, $1)
|
||||||
|
|
||||||
|
# Write content to encrypt/decrypt/sign
|
||||||
|
write_trusted($1_gpg_t, $1)
|
||||||
|
|
||||||
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow $1_gpg_t $1_gph_t:fd use;')
|
||||||
|
|
||||||
# allow ps to show gpg
|
# allow ps to show gpg
|
||||||
can_ps($1_t, $1_gpg_t)
|
can_ps($1_t, $1_gpg_t)
|
||||||
|
|
||||||
# use $1_gpg_secret_t for files it creates
|
|
||||||
# NB we are doing the type transition for directory creation only!
|
|
||||||
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
|
|
||||||
# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
|
|
||||||
# a file and write output to your home directory it will use user_home_t.
|
|
||||||
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
|
|
||||||
|
|
||||||
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
|
|
||||||
create_dir_file($1_gpg_t, $1_home_t)
|
|
||||||
|
|
||||||
# allow the usual access to /tmp
|
|
||||||
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
|
|
||||||
|
|
||||||
rw_dir_create_file($1_gpg_t, $1_file_type)
|
|
||||||
|
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -210,6 +174,7 @@ template(`gpg_per_userdomain_template',`
|
|||||||
corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
|
corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
|
||||||
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
|
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
|
||||||
corenet_udp_bind_all_nodes($1_gpg_helper_t)
|
corenet_udp_bind_all_nodes($1_gpg_helper_t)
|
||||||
|
corenet_tcp_connect_all_ports($1_gpg_helper_t)
|
||||||
|
|
||||||
dev_read_urand($1_gpg_helper_t)
|
dev_read_urand($1_gpg_helper_t)
|
||||||
|
|
||||||
@ -232,9 +197,8 @@ template(`gpg_per_userdomain_template',`
|
|||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
ifdef(`xdm.te', `
|
ifdef(`xdm.te',`
|
||||||
dontaudit $1_gpg_t xdm_t:fd use;
|
can_pipe_xdm($1_gpg_t)
|
||||||
dontaudit $1_gpg_t xdm_t:fifo_file read;
|
|
||||||
')
|
')
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
|
||||||
@ -296,8 +260,6 @@ template(`gpg_per_userdomain_template',`
|
|||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
allow $1_gpg_agent_t xdm_t:fd use;
|
|
||||||
|
|
||||||
# allow ps to show gpg-agent
|
# allow ps to show gpg-agent
|
||||||
can_ps($1_t, $1_gpg_agent_t)
|
can_ps($1_t, $1_gpg_agent_t)
|
||||||
|
|
||||||
@ -353,7 +315,6 @@ template(`gpg_per_userdomain_template',`
|
|||||||
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
|
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
|
||||||
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
|
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
|
||||||
allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto;
|
allow $1_gpg_pinentry_t xdm_xserver_t:unix_stream_socket connectto;
|
||||||
allow $1_gpg_pinentry_t xdm_t:fd use;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
|
allow $1_gpg_pinentry_t { tmp_t home_root_t }:dir { getattr search };
|
||||||
|
@ -62,10 +62,6 @@ type inotifyfs_t, filesystem_type;
|
|||||||
allow inotifyfs_t self:filesystem associate;
|
allow inotifyfs_t self:filesystem associate;
|
||||||
genfscon inotifyfs / context_template(system_u:object_r:inotifyfs_t,s0)
|
genfscon inotifyfs / context_template(system_u:object_r:inotifyfs_t,s0)
|
||||||
|
|
||||||
type mqueue_t, filesystem_type;
|
|
||||||
files_mountpoint(mqueue_t)
|
|
||||||
allow mqueue_t self:filesystem associate;
|
|
||||||
|
|
||||||
type nfsd_fs_t, filesystem_type;
|
type nfsd_fs_t, filesystem_type;
|
||||||
genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0)
|
genfscon nfsd / context_template(system_u:object_r:nfsd_fs_t,s0)
|
||||||
|
|
||||||
@ -86,12 +82,14 @@ genfscon rpc_pipefs / context_template(system_u:object_r:rpc_pipefs_t,s0)
|
|||||||
#
|
#
|
||||||
type tmpfs_t, filesystem_type;
|
type tmpfs_t, filesystem_type;
|
||||||
files_type(tmpfs_t)
|
files_type(tmpfs_t)
|
||||||
|
files_mountpoint(tmpfs_t)
|
||||||
|
|
||||||
# Use a transition SID based on the allocating task SID and the
|
# Use a transition SID based on the allocating task SID and the
|
||||||
# filesystem SID to label inodes in the following filesystem types,
|
# filesystem SID to label inodes in the following filesystem types,
|
||||||
# and label the filesystem itself with the specified context.
|
# and label the filesystem itself with the specified context.
|
||||||
# This is appropriate for pseudo filesystems like devpts and tmpfs
|
# This is appropriate for pseudo filesystems like devpts and tmpfs
|
||||||
# where we want to label objects with a derived type.
|
# where we want to label objects with a derived type.
|
||||||
|
fs_use_trans mqueue context_template(system_u:object_r:tmpfs_t,s0);
|
||||||
fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
|
fs_use_trans shm context_template(system_u:object_r:tmpfs_t,s0);
|
||||||
fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
|
fs_use_trans tmpfs context_template(system_u:object_r:tmpfs_t,s0);
|
||||||
|
|
||||||
|
@ -28,7 +28,7 @@ attribute sysctl_type;
|
|||||||
type kernel_t, can_load_kernmodule; # mlsprocread, mlsprocwrite, privrangetrans
|
type kernel_t, can_load_kernmodule; # mlsprocread, mlsprocwrite, privrangetrans
|
||||||
role system_r types kernel_t;
|
role system_r types kernel_t;
|
||||||
domain_base_type(kernel_t)
|
domain_base_type(kernel_t)
|
||||||
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127)
|
sid kernel context_template(system_u:system_r:kernel_t,s0 - s9:c0.c127, c0.c127)
|
||||||
|
|
||||||
#
|
#
|
||||||
# Procfs types
|
# Procfs types
|
||||||
|
@ -15,7 +15,7 @@ attribute can_setsecparam;
|
|||||||
# the permissions in the security class. It is also
|
# the permissions in the security class. It is also
|
||||||
# applied to selinuxfs inodes.
|
# applied to selinuxfs inodes.
|
||||||
#
|
#
|
||||||
type security_t;
|
type security_t; #, mlstrustedobject;
|
||||||
fs_type(security_t)
|
fs_type(security_t)
|
||||||
sid security context_template(system_u:object_r:security_t,s0)
|
sid security context_template(system_u:object_r:security_t,s0)
|
||||||
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
|
genfscon selinuxfs / context_template(system_u:object_r:security_t,s0)
|
||||||
|
@ -91,6 +91,7 @@ template(`cron_per_userdomain_template',`
|
|||||||
corenet_udp_sendrecv_all_ports($1_crond_t)
|
corenet_udp_sendrecv_all_ports($1_crond_t)
|
||||||
corenet_tcp_bind_all_nodes($1_crond_t)
|
corenet_tcp_bind_all_nodes($1_crond_t)
|
||||||
corenet_udp_bind_all_nodes($1_crond_t)
|
corenet_udp_bind_all_nodes($1_crond_t)
|
||||||
|
corenet_tcp_connect_all_ports($1_crond_t)
|
||||||
|
|
||||||
dev_read_urand($1_crond_t)
|
dev_read_urand($1_crond_t)
|
||||||
|
|
||||||
@ -188,6 +189,8 @@ template(`cron_per_userdomain_template',`
|
|||||||
# crontab signals crond by updating the mtime on the spooldir
|
# crontab signals crond by updating the mtime on the spooldir
|
||||||
allow $1_crontab_t cron_spool_t:dir setattr;
|
allow $1_crontab_t cron_spool_t:dir setattr;
|
||||||
|
|
||||||
|
kernel_read_system_state($1_crontab_t)
|
||||||
|
|
||||||
# for the checks used by crontab -u
|
# for the checks used by crontab -u
|
||||||
selinux_dontaudit_search_fs($1_crontab_t)
|
selinux_dontaudit_search_fs($1_crontab_t)
|
||||||
|
|
||||||
@ -210,7 +213,7 @@ template(`cron_per_userdomain_template',`
|
|||||||
|
|
||||||
miscfiles_read_localization($1_crontab_t)
|
miscfiles_read_localization($1_crontab_t)
|
||||||
|
|
||||||
seutil_dontaudit_search_config($1_crontab_t)
|
seutil_read_config($1_crontab_t)
|
||||||
|
|
||||||
userdom_manage_user_tmp_dirs($1,$1_crontab_t)
|
userdom_manage_user_tmp_dirs($1,$1_crontab_t)
|
||||||
userdom_manage_user_tmp_files($1,$1_crontab_t)
|
userdom_manage_user_tmp_files($1,$1_crontab_t)
|
||||||
|
@ -46,12 +46,13 @@ template(`dbus_per_userdomain_template',`
|
|||||||
#
|
#
|
||||||
|
|
||||||
allow $1_dbusd_t self:process { getattr sigkill signal };
|
allow $1_dbusd_t self:process { getattr sigkill signal };
|
||||||
|
allow $1_dbusd_t self:file { getattr read write };
|
||||||
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
|
allow $1_dbusd_t self:dbus { send_msg acquire_svc };
|
||||||
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
|
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
|
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
|
||||||
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
|
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
|
||||||
# Receive notifications of policy reloads and enforcing status changes.
|
# Receive notifications of policy reloads and enforcing status changes.
|
||||||
allow $1_dbusd_t self:netlink_selinux_socket { create bind read };
|
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
|
||||||
|
|
||||||
# For connecting to the bus
|
# For connecting to the bus
|
||||||
allow $2 $1_dbusd_t:unix_stream_socket connectto;
|
allow $2 $1_dbusd_t:unix_stream_socket connectto;
|
||||||
@ -141,6 +142,12 @@ template(`dbus_per_userdomain_template',`
|
|||||||
optional_policy(`nscd.te',`
|
optional_policy(`nscd.te',`
|
||||||
nscd_use_socket($1_dbusd_t)
|
nscd_use_socket($1_dbusd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
ifdef(`xdm.te', `
|
||||||
|
can_pipe_xdm($1_dbusd_t)
|
||||||
|
')
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
|
@ -1,6 +1,10 @@
|
|||||||
/etc/krb5\.conf -- context_template(system_u:object_r:krb5_conf_t,s0)
|
/etc/krb5\.conf -- context_template(system_u:object_r:krb5_conf_t,s0)
|
||||||
/etc/krb5\.keytab context_template(system_u:object_r:krb5_keytab_t,s0)
|
/etc/krb5\.keytab context_template(system_u:object_r:krb5_keytab_t,s0)
|
||||||
|
|
||||||
|
/etc/krb5kdc(/.*)? context_template(system_u:object_r:krb5kdc_conf_t,s0)
|
||||||
|
/etc/krb5kdc/kadm5.keytab -- context_template(system_u:object_r:krb5_keytab_t,s0)
|
||||||
|
/etc/krb5kdc/principal.* context_template(system_u:object_r:krb5kdc_principal_t,s0)
|
||||||
|
|
||||||
/usr(/local)?(/kerberos)?/sbin/krb5kdc -- context_template(system_u:object_r:krb5kdc_exec_t,s0)
|
/usr(/local)?(/kerberos)?/sbin/krb5kdc -- context_template(system_u:object_r:krb5kdc_exec_t,s0)
|
||||||
/usr(/local)?(/kerberos)?/sbin/kadmind -- context_template(system_u:object_r:kadmind_exec_t,s0)
|
/usr(/local)?(/kerberos)?/sbin/kadmind -- context_template(system_u:object_r:kadmind_exec_t,s0)
|
||||||
|
|
||||||
@ -11,4 +15,4 @@
|
|||||||
/var/kerberos/krb5kdc/principal.* context_template(system_u:object_r:krb5kdc_principal_t,s0)
|
/var/kerberos/krb5kdc/principal.* context_template(system_u:object_r:krb5kdc_principal_t,s0)
|
||||||
|
|
||||||
/var/log/krb5kdc\.log context_template(system_u:object_r:krb5kdc_log_t,s0)
|
/var/log/krb5kdc\.log context_template(system_u:object_r:krb5kdc_log_t,s0)
|
||||||
/var/log/kadmind\.log context_template(system_u:object_r:kadmind_log_t,s0)
|
/var/log/kadmin(d)?\.log context_template(system_u:object_r:kadmind_log_t,s0)
|
||||||
|
@ -54,6 +54,7 @@ interface(`kerberos_use',`
|
|||||||
corenet_udp_sendrecv_kerberos_port($1)
|
corenet_udp_sendrecv_kerberos_port($1)
|
||||||
corenet_tcp_bind_all_nodes($1)
|
corenet_tcp_bind_all_nodes($1)
|
||||||
corenet_udp_bind_all_nodes($1)
|
corenet_udp_bind_all_nodes($1)
|
||||||
|
corenet_tcp_connect_kerberos_port($1)
|
||||||
sysnet_read_config($1)
|
sysnet_read_config($1)
|
||||||
sysnet_dns_name_resolve($1)
|
sysnet_dns_name_resolve($1)
|
||||||
')
|
')
|
||||||
|
@ -70,6 +70,7 @@ template(`mta_per_userdomain_template',`
|
|||||||
corenet_raw_sendrecv_all_nodes($1_mail_t)
|
corenet_raw_sendrecv_all_nodes($1_mail_t)
|
||||||
corenet_tcp_sendrecv_all_ports($1_mail_t)
|
corenet_tcp_sendrecv_all_ports($1_mail_t)
|
||||||
corenet_tcp_bind_all_nodes($1_mail_t)
|
corenet_tcp_bind_all_nodes($1_mail_t)
|
||||||
|
corenet_tcp_connect_all_ports($1_mail_t)
|
||||||
|
|
||||||
domain_use_wide_inherit_fd($1_mail_t)
|
domain_use_wide_inherit_fd($1_mail_t)
|
||||||
|
|
||||||
|
@ -110,6 +110,7 @@ template(`ssh_per_userdomain_template',`
|
|||||||
corenet_raw_sendrecv_all_nodes($1_ssh_t)
|
corenet_raw_sendrecv_all_nodes($1_ssh_t)
|
||||||
corenet_tcp_sendrecv_all_ports($1_ssh_t)
|
corenet_tcp_sendrecv_all_ports($1_ssh_t)
|
||||||
corenet_tcp_bind_all_nodes($1_ssh_t)
|
corenet_tcp_bind_all_nodes($1_ssh_t)
|
||||||
|
corenet_tcp_connect_ssh_port($1_ssh_t)
|
||||||
|
|
||||||
dev_read_urand($1_ssh_t)
|
dev_read_urand($1_ssh_t)
|
||||||
|
|
||||||
@ -132,6 +133,7 @@ template(`ssh_per_userdomain_template',`
|
|||||||
files_read_usr_files($1_ssh_t)
|
files_read_usr_files($1_ssh_t)
|
||||||
files_read_etc_runtime_files($1_ssh_t)
|
files_read_etc_runtime_files($1_ssh_t)
|
||||||
files_read_etc_files($1_ssh_t)
|
files_read_etc_files($1_ssh_t)
|
||||||
|
files_read_var_files($1_ssh_t)
|
||||||
|
|
||||||
libs_use_ld_so($1_ssh_t)
|
libs_use_ld_so($1_ssh_t)
|
||||||
libs_use_shared_libs($1_ssh_t)
|
libs_use_shared_libs($1_ssh_t)
|
||||||
@ -184,9 +186,6 @@ template(`ssh_per_userdomain_template',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
# Read /var.
|
|
||||||
allow $1_ssh_t var_t:dir r_dir_perms;
|
|
||||||
allow $1_ssh_t var_t:notdevfile_class_set r_file_perms;
|
|
||||||
|
|
||||||
# Read /var/run, /var/log.
|
# Read /var/run, /var/log.
|
||||||
allow $1_ssh_t var_run_t:dir r_dir_perms;
|
allow $1_ssh_t var_run_t:dir r_dir_perms;
|
||||||
@ -215,32 +214,33 @@ template(`ssh_per_userdomain_template',`
|
|||||||
# allow ps to show ssh
|
# allow ps to show ssh
|
||||||
can_ps($1_t, $1_ssh_t)
|
can_ps($1_t, $1_ssh_t)
|
||||||
|
|
||||||
ifdef(`xserver.te', `
|
# Connect to X server
|
||||||
# Communicate with the X server.
|
x_client_domain($1_ssh, $1)
|
||||||
can_unix_connect($1_ssh_t, $1_xserver_t)
|
|
||||||
allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
|
|
||||||
allow $1_ssh_t $1_xserver_tmp_t:dir search;
|
|
||||||
ifdef(`xdm.te', `
|
|
||||||
allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
|
|
||||||
allow $1_ssh_t { xdm_tmp_t }:sock_file write;
|
|
||||||
')
|
|
||||||
')dnl end if xserver
|
|
||||||
|
|
||||||
#allow ssh to access keys stored on removable media
|
#allow ssh to access keys stored on removable media
|
||||||
# Should we have a boolean around this?
|
# Should we have a boolean around this?
|
||||||
files_search_mnt($1_ssh_t)
|
files_search_mnt($1_ssh_t)
|
||||||
r_dir_file($1_ssh_t, removable_t)
|
r_dir_file($1_ssh_t, removable_t)
|
||||||
|
|
||||||
ifdef(`xdm.te', `
|
type $1_ssh_keysign_t, domain, nscd_client_domain;
|
||||||
# should be able to remove these two later
|
role $1_r types $1_ssh_keysign_t;
|
||||||
allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
|
|
||||||
allow $1_ssh_t xdm_xserver_tmp_t:dir search;
|
if (allow_ssh_keysign) {
|
||||||
allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
|
domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
|
||||||
allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
|
allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
|
||||||
allow $1_ssh_t xdm_xserver_t:fd use;
|
allow $1_ssh_keysign_t self:capability { setgid setuid };
|
||||||
allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
|
allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
|
||||||
allow $1_ssh_t xdm_t:fd use;
|
uses_shlib($1_ssh_keysign_t)
|
||||||
')dnl end if xdm.te
|
dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
|
||||||
|
dontaudit $1_ssh_keysign_t proc_t:dir search;
|
||||||
|
dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
|
||||||
|
allow $1_ssh_keysign_t usr_t:dir search;
|
||||||
|
allow $1_ssh_keysign_t etc_t:file { getattr read };
|
||||||
|
allow $1_ssh_keysign_t self:dir search;
|
||||||
|
allow $1_ssh_keysign_t self:file { getattr read };
|
||||||
|
allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
|
||||||
|
}
|
||||||
|
|
||||||
') dnl endif TODO
|
') dnl endif TODO
|
||||||
|
|
||||||
##############################
|
##############################
|
||||||
@ -301,7 +301,7 @@ template(`ssh_per_userdomain_template',`
|
|||||||
|
|
||||||
miscfiles_read_localization($1_ssh_agent_t)
|
miscfiles_read_localization($1_ssh_agent_t)
|
||||||
|
|
||||||
seutil_dontaudit_search_config($1_ssh_agent_t)
|
seutil_dontaudit_read_config($1_ssh_agent_t)
|
||||||
|
|
||||||
# Write to the user domain tty.
|
# Write to the user domain tty.
|
||||||
userdom_use_user_terminals($1,$1_ssh_agent_t)
|
userdom_use_user_terminals($1,$1_ssh_agent_t)
|
||||||
@ -325,14 +325,14 @@ template(`ssh_per_userdomain_template',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`xdm.te', `
|
optional_policy(`xdm.te', `
|
||||||
xdm_use_fd($1_ssh_agent_t)
|
|
||||||
xdm_rw_pipe($1_ssh_agent_t)
|
|
||||||
|
|
||||||
# KDM:
|
# KDM:
|
||||||
xdm_sigchld($1_ssh_agent_t)
|
#xdm_sigchld($1_ssh_agent_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
ifdef(`xdm.te',`
|
||||||
|
can_pipe_xdm($1_ssh_agent_t)
|
||||||
|
')
|
||||||
|
|
||||||
# allow ps to show ssh
|
# allow ps to show ssh
|
||||||
can_ps($1_t, $1_ssh_agent_t)
|
can_ps($1_t, $1_ssh_agent_t)
|
||||||
|
@ -47,12 +47,14 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
role $3 types $1_chkpwd_t;
|
role $3 types $1_chkpwd_t;
|
||||||
role $3 types system_chkpwd_t;
|
role $3 types system_chkpwd_t;
|
||||||
|
|
||||||
allow $1_chkpwd_t self:capability setuid;
|
allow $1_chkpwd_t self:capability { audit_write audit_control setuid };
|
||||||
allow $1_chkpwd_t self:process getattr;
|
allow $1_chkpwd_t self:process getattr;
|
||||||
|
|
||||||
files_list_etc($1_chkpwd_t)
|
files_list_etc($1_chkpwd_t)
|
||||||
allow $1_chkpwd_t shadow_t:file { getattr read };
|
allow $1_chkpwd_t shadow_t:file { getattr read };
|
||||||
|
|
||||||
|
allow $2 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||||
|
|
||||||
# Transition from the user domain to this domain.
|
# Transition from the user domain to this domain.
|
||||||
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
|
domain_auto_trans($2,chkpwd_exec_t,$1_chkpwd_t)
|
||||||
|
|
||||||
@ -64,6 +66,9 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
# is_selinux_enabled
|
# is_selinux_enabled
|
||||||
kernel_read_system_state($1_chkpwd_t)
|
kernel_read_system_state($1_chkpwd_t)
|
||||||
|
|
||||||
|
dev_read_rand($1_chkpwd_t)
|
||||||
|
dev_read_urand($1_chkpwd_t)
|
||||||
|
|
||||||
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
|
fs_dontaudit_getattr_xattr_fs($1_chkpwd_t)
|
||||||
|
|
||||||
domain_use_wide_inherit_fd($1_chkpwd_t)
|
domain_use_wide_inherit_fd($1_chkpwd_t)
|
||||||
@ -82,6 +87,7 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
seutil_read_config($1_chkpwd_t)
|
seutil_read_config($1_chkpwd_t)
|
||||||
|
|
||||||
sysnet_dns_name_resolve($1_chkpwd_t)
|
sysnet_dns_name_resolve($1_chkpwd_t)
|
||||||
|
sysnet_use_ldap($1_chkpwd_t)
|
||||||
|
|
||||||
# Write to the user domain tty.
|
# Write to the user domain tty.
|
||||||
userdom_use_user_terminals($1,$1_chkpwd_t)
|
userdom_use_user_terminals($1,$1_chkpwd_t)
|
||||||
@ -93,17 +99,6 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
kerberos_use($1_chkpwd_t)
|
kerberos_use($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`ldap.te',`
|
|
||||||
allow $1_chkpwd_t self:tcp_socket create_socket_perms;
|
|
||||||
corenet_tcp_sendrecv_all_if($1_chkpwd_t)
|
|
||||||
corenet_raw_sendrecv_all_if($1_chkpwd_t)
|
|
||||||
corenet_tcp_sendrecv_all_nodes($1_chkpwd_t)
|
|
||||||
corenet_raw_sendrecv_all_nodes($1_chkpwd_t)
|
|
||||||
corenet_tcp_sendrecv_ldap_port($1_chkpwd_t)
|
|
||||||
corenet_tcp_bind_all_nodes($1_chkpwd_t)
|
|
||||||
sysnet_read_config($1_chkpwd_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind($1_chkpwd_t)
|
nis_use_ypbind($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
@ -115,6 +110,12 @@ template(`authlogin_per_userdomain_template',`
|
|||||||
optional_policy(`selinuxutil.te',`
|
optional_policy(`selinuxutil.te',`
|
||||||
seutil_use_newrole_fd($1_chkpwd_t)
|
seutil_use_newrole_fd($1_chkpwd_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
can_winbind($1)
|
||||||
|
r_dir_file($1, cert_t)
|
||||||
|
dontaudit $1 shadow_t:file { getattr read };
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -221,6 +222,9 @@ interface(`auth_domtrans_chk_passwd',`
|
|||||||
corecmd_search_sbin($1)
|
corecmd_search_sbin($1)
|
||||||
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
|
domain_auto_trans($1,chkpwd_exec_t,system_chkpwd_t)
|
||||||
|
|
||||||
|
allow $1 self:capability { audit_write audit_control };
|
||||||
|
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||||
|
|
||||||
allow $1 system_chkpwd_t:fd use;
|
allow $1 system_chkpwd_t:fd use;
|
||||||
allow system_chkpwd_t $1:fd use;
|
allow system_chkpwd_t $1:fd use;
|
||||||
allow system_chkpwd_t $1:fifo_file rw_file_perms;
|
allow system_chkpwd_t $1:fifo_file rw_file_perms;
|
||||||
@ -228,26 +232,25 @@ interface(`auth_domtrans_chk_passwd',`
|
|||||||
|
|
||||||
dontaudit $1 shadow_t:file { getattr read };
|
dontaudit $1 shadow_t:file { getattr read };
|
||||||
|
|
||||||
|
dev_read_rand($1)
|
||||||
|
dev_read_urand($1)
|
||||||
|
|
||||||
sysnet_dns_name_resolve($1)
|
sysnet_dns_name_resolve($1)
|
||||||
|
sysnet_use_ldap($1)
|
||||||
|
|
||||||
optional_policy(`kerberos.te',`
|
optional_policy(`kerberos.te',`
|
||||||
kerberos_use($1)
|
kerberos_use($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`ldap.te',`
|
|
||||||
allow $1 self:tcp_socket create_socket_perms;
|
|
||||||
corenet_tcp_sendrecv_all_if($1)
|
|
||||||
corenet_raw_sendrecv_all_if($1)
|
|
||||||
corenet_tcp_sendrecv_all_nodes($1)
|
|
||||||
corenet_raw_sendrecv_all_nodes($1)
|
|
||||||
corenet_tcp_sendrecv_ldap_port($1)
|
|
||||||
corenet_tcp_bind_all_nodes($1)
|
|
||||||
sysnet_read_config($1)
|
|
||||||
')
|
|
||||||
|
|
||||||
optional_policy(`nis.te',`
|
optional_policy(`nis.te',`
|
||||||
nis_use_ypbind($1)
|
nis_use_ypbind($1)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
can_winbind($1)
|
||||||
|
r_dir_file($1, cert_t)
|
||||||
|
dontaudit $1 shadow_t:file { getattr read };
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -46,11 +46,11 @@ ifdef(`targeted_policy',`
|
|||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
#
|
#
|
||||||
/opt/.*/bin(/.*)? context_template(system_u:object_r:bin_t,s0)
|
/opt/(.*)?/bin(/.*)? context_template(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/opt/.*/libexec(/.*)? context_template(system_u:object_r:bin_t,s0)
|
/opt/(.*)?/libexec(/.*)? context_template(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/opt/.*/sbin(/.*)? context_template(system_u:object_r:sbin_t,s0)
|
/opt/(.*)?/sbin(/.*)? context_template(system_u:object_r:sbin_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
@ -70,23 +70,20 @@ ifdef(`distro_suse', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
/usr/lib(64)?/sftp-server -- context_template(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/sftp-server -- context_template(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/usr/lib(64)?/emacsen-common/.* context_template(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/emacsen-common/.* context_template(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/usr/lib(64)?/ipsec/.* -- context_template(system_u:object_r:sbin_t,s0)
|
/usr/lib(64)?/ipsec/.* -- context_template(system_u:object_r:sbin_t,s0)
|
||||||
|
|
||||||
/usr/lib(64)?/misc/sftp-server -- context_template(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/misc/sftp-server -- context_template(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/usr/lib(64)?/news/bin(/.*)? context_template(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/news/bin(/.*)? context_template(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
ifdef(`distro_suse', `
|
ifdef(`distro_suse', `
|
||||||
/usr/lib(64)?/ssh/.* -- context_template(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/ssh/.* -- context_template(system_u:object_r:bin_t,s0)
|
||||||
')
|
')
|
||||||
|
|
||||||
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- context_template(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- context_template(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- context_template(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- context_template(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- context_template(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- context_template(system_u:object_r:bin_t,s0)
|
||||||
/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- context_template(system_u:object_r:bin_t,s0)
|
/usr/lib(64)?/[^/]*/run-mozilla\.sh -- context_template(system_u:object_r:bin_t,s0)
|
||||||
|
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- context_template(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/usr/libexec(/.*)? context_template(system_u:object_r:bin_t,s0)
|
/usr/libexec(/.*)? context_template(system_u:object_r:bin_t,s0)
|
||||||
/usr/libexec/openssh/sftp-server -- context_template(system_u:object_r:bin_t,s0)
|
/usr/libexec/openssh/sftp-server -- context_template(system_u:object_r:bin_t,s0)
|
||||||
@ -97,8 +94,8 @@ ifdef(`distro_suse', `
|
|||||||
|
|
||||||
/usr/share/gnucash/finance-quote-check -- context_template(system_u:object_r:bin_t,s0)
|
/usr/share/gnucash/finance-quote-check -- context_template(system_u:object_r:bin_t,s0)
|
||||||
/usr/share/gnucash/finance-quote-helper -- context_template(system_u:object_r:bin_t,s0)
|
/usr/share/gnucash/finance-quote-helper -- context_template(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
/usr/share/mc/extfs/.* -- context_template(system_u:object_r:bin_t,s0)
|
/usr/share/mc/extfs/.* -- context_template(system_u:object_r:bin_t,s0)
|
||||||
|
/usr/share/turboprint/lib(/.*)? -- context_template(system_u:object_r:bin_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /var
|
# /var
|
||||||
|
@ -19,8 +19,8 @@ ifdef(`distro_redhat',`
|
|||||||
# /boot
|
# /boot
|
||||||
#
|
#
|
||||||
/boot/\.journal <<none>>
|
/boot/\.journal <<none>>
|
||||||
|
/boot/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
|
||||||
/boot/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
/boot/lost\+found/.* <<none>>
|
||||||
|
|
||||||
#
|
#
|
||||||
# /etc
|
# /etc
|
||||||
@ -66,7 +66,8 @@ ifdef(`distro_gentoo', `
|
|||||||
# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
|
# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
|
||||||
HOME_ROOT -d context_template(system_u:object_r:home_root_t,s0)
|
HOME_ROOT -d context_template(system_u:object_r:home_root_t,s0)
|
||||||
HOME_ROOT/\.journal <<none>>
|
HOME_ROOT/\.journal <<none>>
|
||||||
HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
HOME_ROOT/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
|
||||||
|
HOME_ROOT/lost\+found/.* <<none>>
|
||||||
|
|
||||||
#
|
#
|
||||||
# /initrd
|
# /initrd
|
||||||
@ -77,7 +78,8 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
|||||||
#
|
#
|
||||||
# /lost+found
|
# /lost+found
|
||||||
#
|
#
|
||||||
/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
|
||||||
|
/lost\+found/.* <<none>>
|
||||||
|
|
||||||
#
|
#
|
||||||
# /media
|
# /media
|
||||||
@ -98,7 +100,7 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
|||||||
#
|
#
|
||||||
/opt(/.*)? context_template(system_u:object_r:usr_t,s0)
|
/opt(/.*)? context_template(system_u:object_r:usr_t,s0)
|
||||||
|
|
||||||
/opt/.*/var/lib(64)?(/.*)? context_template(system_u:object_r:var_lib_t,s0)
|
/opt/(.*)?/var/lib(64)?(/.*)? context_template(system_u:object_r:var_lib_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /proc
|
# /proc
|
||||||
@ -110,6 +112,11 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
|||||||
#
|
#
|
||||||
/selinux(/.*)? <<none>>
|
/selinux(/.*)? <<none>>
|
||||||
|
|
||||||
|
#
|
||||||
|
# /srv
|
||||||
|
#
|
||||||
|
/srv(/.*)? context_template(system_u:object_r:var_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /sys
|
# /sys
|
||||||
#
|
#
|
||||||
@ -122,7 +129,8 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
|||||||
/tmp/.* <<none>>
|
/tmp/.* <<none>>
|
||||||
/tmp/\.journal <<none>>
|
/tmp/\.journal <<none>>
|
||||||
|
|
||||||
/tmp/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
/tmp/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
|
||||||
|
/tmp/lost\+found/.* <<none>>
|
||||||
|
|
||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
@ -130,8 +138,6 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
|||||||
/usr(/.*)? context_template(system_u:object_r:usr_t,s0)
|
/usr(/.*)? context_template(system_u:object_r:usr_t,s0)
|
||||||
/usr/\.journal <<none>>
|
/usr/\.journal <<none>>
|
||||||
|
|
||||||
/usr/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
|
||||||
|
|
||||||
/usr/etc(/.*)? context_template(system_u:object_r:etc_t,s0)
|
/usr/etc(/.*)? context_template(system_u:object_r:etc_t,s0)
|
||||||
|
|
||||||
/usr/inclu.e(/.*)? context_template(system_u:object_r:usr_t,s0)
|
/usr/inclu.e(/.*)? context_template(system_u:object_r:usr_t,s0)
|
||||||
@ -140,10 +146,14 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
|||||||
|
|
||||||
/usr/local/etc(/.*)? context_template(system_u:object_r:etc_t,s0)
|
/usr/local/etc(/.*)? context_template(system_u:object_r:etc_t,s0)
|
||||||
|
|
||||||
/usr/local/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
/usr/local/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
|
||||||
|
/usr/local/lost\+found/.* <<none>>
|
||||||
|
|
||||||
/usr/local/src(/.*)? context_template(system_u:object_r:src_t,s0)
|
/usr/local/src(/.*)? context_template(system_u:object_r:src_t,s0)
|
||||||
|
|
||||||
|
/usr/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
|
||||||
|
/usr/lost\+found/.* <<none>>
|
||||||
|
|
||||||
/usr/share(/.*)?/lib(64)?(/.*)? context_template(system_u:object_r:usr_t,s0)
|
/usr/share(/.*)?/lib(64)?(/.*)? context_template(system_u:object_r:usr_t,s0)
|
||||||
|
|
||||||
/usr/src(/.*)? context_template(system_u:object_r:src_t,s0)
|
/usr/src(/.*)? context_template(system_u:object_r:src_t,s0)
|
||||||
@ -167,7 +177,8 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
|||||||
|
|
||||||
/var/lock(/.*)? context_template(system_u:object_r:var_lock_t,s0)
|
/var/lock(/.*)? context_template(system_u:object_r:var_lock_t,s0)
|
||||||
|
|
||||||
/var/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
/var/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
|
||||||
|
/var/lost\+found/.* <<none>>
|
||||||
|
|
||||||
/var/run(/.*)? context_template(system_u:object_r:var_run_t,s0)
|
/var/run(/.*)? context_template(system_u:object_r:var_run_t,s0)
|
||||||
/var/run/.*\.*pid <<none>>
|
/var/run/.*\.*pid <<none>>
|
||||||
@ -176,5 +187,6 @@ HOME_ROOT/lost\+found(/.*)? context_template(system_u:object_r:lost_found_t,s0)
|
|||||||
|
|
||||||
/var/tmp -d context_template(system_u:object_r:tmp_t,s0)
|
/var/tmp -d context_template(system_u:object_r:tmp_t,s0)
|
||||||
/var/tmp/.* <<none>>
|
/var/tmp/.* <<none>>
|
||||||
|
/var/tmp/lost\+found -d context_template(system_u:object_r:lost_found_t,s0)
|
||||||
|
/var/tmp/lost\+found/.* <<none>>
|
||||||
/var/tmp/vi\.recover -d context_template(system_u:object_r:tmp_t,s0)
|
/var/tmp/vi\.recover -d context_template(system_u:object_r:tmp_t,s0)
|
||||||
|
@ -73,15 +73,21 @@ interface(`files_pid_file',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
## <summary>
|
||||||
# files_tmp_file(type)
|
## Make the specified type a file
|
||||||
#
|
## used for temporary files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="file_type">
|
||||||
|
## Type of the file to be used as a
|
||||||
|
## temporary file.
|
||||||
|
## </param>
|
||||||
interface(`files_tmp_file',`
|
interface(`files_tmp_file',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
attribute tmpfile;
|
attribute tmpfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
files_type($1)
|
files_type($1)
|
||||||
|
fs_associate_tmpfs($1)
|
||||||
typeattribute $1 tmpfile;
|
typeattribute $1 tmpfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -15,8 +15,8 @@
|
|||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
#
|
#
|
||||||
/opt/.*/lib(64)?(/.*)? context_template(system_u:object_r:lib_t,s0)
|
/opt/(.*)?/lib(64)?(/.*)? context_template(system_u:object_r:lib_t,s0)
|
||||||
/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0)
|
/opt/(.*)?/lib(64)?/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /sbin
|
# /sbin
|
||||||
@ -26,6 +26,10 @@
|
|||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
#
|
#
|
||||||
|
/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||||
|
|
||||||
|
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||||
|
|
||||||
/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
/usr(/.*)?/HelixPlayer/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||||
|
|
||||||
/usr(/.*)?/java/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
/usr(/.*)?/java/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||||
@ -41,6 +45,10 @@
|
|||||||
|
|
||||||
/usr/lib/win32/.* -- context_template(system_u:object_r:shlib_t,s0)
|
/usr/lib/win32/.* -- context_template(system_u:object_r:shlib_t,s0)
|
||||||
|
|
||||||
|
/usr/(local/)?lib/wine/.*\.so -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||||
|
/usr/(local/)?lib/libfame-.*\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||||
|
/usr/local/.*\.so(\.[^/]*)* -- context_template(system_u:object_r:shlib_t,s0)
|
||||||
|
|
||||||
/usr/X11R6/lib/libGL\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
/usr/X11R6/lib/libGL\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||||
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- context_template(system_u:object_r:texrel_shlib_t,s0)
|
||||||
|
|
||||||
|
@ -1,8 +1,13 @@
|
|||||||
## <summary>Policy for the kernel message logger and system logging daemon.</summary>
|
## <summary>Policy for the kernel message logger and system logging daemon.</summary>
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
#
|
## <summary>
|
||||||
# logging_log_file(domain)
|
## Make the specified type a file
|
||||||
|
## used for logs.
|
||||||
|
## </summary>
|
||||||
|
## <param name="file_type">
|
||||||
|
## Type of the file to be used as a log.
|
||||||
|
## </param>
|
||||||
#
|
#
|
||||||
interface(`logging_log_file',`
|
interface(`logging_log_file',`
|
||||||
gen_require(`
|
gen_require(`
|
||||||
@ -10,6 +15,7 @@ interface(`logging_log_file',`
|
|||||||
')
|
')
|
||||||
|
|
||||||
files_type($1)
|
files_type($1)
|
||||||
|
fs_associate_tmpfs($1)
|
||||||
typeattribute $1 logfile;
|
typeattribute $1 logfile;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
@ -8,23 +8,18 @@
|
|||||||
#
|
#
|
||||||
/etc/lvm(/.*)? context_template(system_u:object_r:lvm_etc_t,s0)
|
/etc/lvm(/.*)? context_template(system_u:object_r:lvm_etc_t,s0)
|
||||||
/etc/lvm/\.cache -- context_template(system_u:object_r:lvm_metadata_t,s0)
|
/etc/lvm/\.cache -- context_template(system_u:object_r:lvm_metadata_t,s0)
|
||||||
|
|
||||||
/etc/lvm/archive(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
|
/etc/lvm/archive(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
|
||||||
|
|
||||||
/etc/lvm/backup(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
|
/etc/lvm/backup(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
|
||||||
|
|
||||||
/etc/lvm/lock(/.*)? context_template(system_u:object_r:lvm_lock_t,s0)
|
/etc/lvm/lock(/.*)? context_template(system_u:object_r:lvm_lock_t,s0)
|
||||||
|
|
||||||
/etc/lvmtab(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
|
/etc/lvmtab(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
|
||||||
|
|
||||||
/etc/lvmtab\.d(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
|
/etc/lvmtab\.d(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /lib
|
# /lib
|
||||||
#
|
#
|
||||||
/lib/lvm-10(/.*) -- context_template(system_u:object_r:lvm_exec_t,s0)
|
/lib/lvm-10/.* -- context_template(system_u:object_r:lvm_exec_t,s0)
|
||||||
|
/lib/lvm-200/.* -- context_template(system_u:object_r:lvm_exec_t,s0)
|
||||||
/lib/lvm-200(/.*) -- context_template(system_u:object_r:lvm_exec_t,s0)
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# /sbin
|
# /sbin
|
||||||
@ -50,6 +45,7 @@
|
|||||||
/sbin/lvresize -- context_template(system_u:object_r:lvm_exec_t,s0)
|
/sbin/lvresize -- context_template(system_u:object_r:lvm_exec_t,s0)
|
||||||
/sbin/lvs -- context_template(system_u:object_r:lvm_exec_t,s0)
|
/sbin/lvs -- context_template(system_u:object_r:lvm_exec_t,s0)
|
||||||
/sbin/lvscan -- context_template(system_u:object_r:lvm_exec_t,s0)
|
/sbin/lvscan -- context_template(system_u:object_r:lvm_exec_t,s0)
|
||||||
|
/sbin/multipathd -- context_template(system_u:object_r:lvm_exec_t,s0)
|
||||||
/sbin/pvchange -- context_template(system_u:object_r:lvm_exec_t,s0)
|
/sbin/pvchange -- context_template(system_u:object_r:lvm_exec_t,s0)
|
||||||
/sbin/pvcreate -- context_template(system_u:object_r:lvm_exec_t,s0)
|
/sbin/pvcreate -- context_template(system_u:object_r:lvm_exec_t,s0)
|
||||||
/sbin/pvdata -- context_template(system_u:object_r:lvm_exec_t,s0)
|
/sbin/pvdata -- context_template(system_u:object_r:lvm_exec_t,s0)
|
||||||
@ -82,9 +78,12 @@
|
|||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
#
|
#
|
||||||
|
/usr/sbin/clvmd -- context_template(system_u:object_r:clvmd_exec_t,s0)
|
||||||
/usr/sbin/lvm -- context_template(system_u:object_r:lvm_exec_t,s0)
|
/usr/sbin/lvm -- context_template(system_u:object_r:lvm_exec_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /var
|
# /var
|
||||||
#
|
#
|
||||||
/var/lock/lvm(/.*)? context_template(system_u:object_r:lvm_lock_t,s0)
|
/var/lock/lvm(/.*)? context_template(system_u:object_r:lvm_lock_t,s0)
|
||||||
|
|
||||||
|
/var/cache/multipathd(/.*)? context_template(system_u:object_r:lvm_metadata_t,s0)
|
||||||
|
@ -6,6 +6,13 @@ policy_module(lvm,1.0)
|
|||||||
# Declarations
|
# Declarations
|
||||||
#
|
#
|
||||||
|
|
||||||
|
type clvmd_t;
|
||||||
|
type clvmd_exec_t;
|
||||||
|
init_daemon_domain(clvmd_t,clvmd_exec_t)
|
||||||
|
|
||||||
|
type clvmd_var_run_t;
|
||||||
|
files_pid_file(clvmd_var_run_t)
|
||||||
|
|
||||||
type lvm_t;
|
type lvm_t;
|
||||||
type lvm_exec_t;
|
type lvm_exec_t;
|
||||||
init_system_domain(lvm_t,lvm_exec_t)
|
init_system_domain(lvm_t,lvm_exec_t)
|
||||||
@ -28,7 +35,91 @@ files_tmp_file(lvm_tmp_t)
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Local policy
|
# Cluster LVM daemon local policy
|
||||||
|
#
|
||||||
|
|
||||||
|
dontaudit clvmd_t self:capability sys_tty_config;
|
||||||
|
allow clvmd_t self:socket create_socket_perms;
|
||||||
|
allow clvmd_t self:fifo_file { read write };
|
||||||
|
allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
|
allow clvmd_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow clvmd_t self:udp_socket create_socket_perms;
|
||||||
|
|
||||||
|
allow clvmd_t clvmd_var_run_t:file create_file_perms;
|
||||||
|
allow clvmd_t clvmd_var_run_t:dir rw_dir_perms;
|
||||||
|
files_create_pid(clvmd_t,clvmd_var_run_t)
|
||||||
|
|
||||||
|
kernel_read_kernel_sysctl(clvmd_t)
|
||||||
|
kernel_list_proc(clvmd_t)
|
||||||
|
kernel_read_proc_symlinks(clvmd_t)
|
||||||
|
|
||||||
|
corenet_tcp_sendrecv_all_if(clvmd_t)
|
||||||
|
corenet_udp_sendrecv_all_if(clvmd_t)
|
||||||
|
corenet_raw_sendrecv_all_if(clvmd_t)
|
||||||
|
corenet_tcp_sendrecv_all_nodes(clvmd_t)
|
||||||
|
corenet_udp_sendrecv_all_nodes(clvmd_t)
|
||||||
|
corenet_raw_sendrecv_all_nodes(clvmd_t)
|
||||||
|
corenet_tcp_sendrecv_all_ports(clvmd_t)
|
||||||
|
corenet_udp_sendrecv_all_ports(clvmd_t)
|
||||||
|
corenet_tcp_bind_all_nodes(clvmd_t)
|
||||||
|
corenet_udp_bind_all_nodes(clvmd_t)
|
||||||
|
corenet_tcp_bind_reserved_port(clvmd_t)
|
||||||
|
corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
|
||||||
|
|
||||||
|
dev_read_sysfs(clvmd_t)
|
||||||
|
|
||||||
|
fs_getattr_all_fs(clvmd_t)
|
||||||
|
fs_search_auto_mountpoints(clvmd_t)
|
||||||
|
|
||||||
|
term_dontaudit_use_console(clvmd_t)
|
||||||
|
|
||||||
|
domain_use_wide_inherit_fd(clvmd_t)
|
||||||
|
|
||||||
|
init_use_fd(clvmd_t)
|
||||||
|
init_use_script_pty(clvmd_t)
|
||||||
|
|
||||||
|
libs_use_ld_so(clvmd_t)
|
||||||
|
libs_use_shared_libs(clvmd_t)
|
||||||
|
|
||||||
|
logging_send_syslog_msg(clvmd_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(clvmd_t)
|
||||||
|
|
||||||
|
seutil_dontaudit_search_config(clvmd_t)
|
||||||
|
seutil_sigchld_newrole(clvmd_t)
|
||||||
|
|
||||||
|
sysnet_read_config(clvmd_t)
|
||||||
|
|
||||||
|
userdom_dontaudit_use_unpriv_user_fd(clvmd_t)
|
||||||
|
userdom_dontaudit_search_sysadm_home_dir(clvmd_t)
|
||||||
|
|
||||||
|
ifdef(`targeted_policy', `
|
||||||
|
term_dontaudit_use_unallocated_tty(clvmd_t)
|
||||||
|
term_dontaudit_use_generic_pty(clvmd_t)
|
||||||
|
files_dontaudit_read_root_file(clvmd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`mount.te',`
|
||||||
|
mount_send_nfs_client_request(clvmd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`nis.te',`
|
||||||
|
nis_use_ypbind(clvmd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
optional_policy(`udev.te', `
|
||||||
|
udev_read_db(clvmd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
ifdef(`TODO',`
|
||||||
|
optional_policy(`rhgb.te',`
|
||||||
|
rhgb_domain(clvmd_t)
|
||||||
|
')
|
||||||
|
') dnl end TODO
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# LVM Local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
|
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
|
||||||
@ -167,13 +258,10 @@ optional_policy(`udev.te', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
ifdef(`TODO',`
|
ifdef(`TODO',`
|
||||||
|
|
||||||
optional_policy(`gnome-pty-helper.te', `
|
optional_policy(`gnome-pty-helper.te', `
|
||||||
allow lvm_t sysadm_gph_t:fd use;
|
allow lvm_t sysadm_gph_t:fd use;
|
||||||
')
|
')
|
||||||
|
|
||||||
optional_policy(`rhgb.te',`
|
optional_policy(`rhgb.te',`
|
||||||
rhgb_domain(lvm_t)
|
rhgb_domain(lvm_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
') dnl end TODO
|
') dnl end TODO
|
||||||
|
@ -1,13 +1,15 @@
|
|||||||
|
|
||||||
#
|
#
|
||||||
# /etc
|
# /etc
|
||||||
#
|
#
|
||||||
/etc/localtime -- context_template(system_u:object_r:locale_t,s0)
|
/etc/localtime -- context_template(system_u:object_r:locale_t,s0)
|
||||||
|
/etc/pki(/.*)? context_template(system_u:object_r:cert_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /opt
|
# /opt
|
||||||
#
|
#
|
||||||
/opt/.*/man(/.*)? context_template(system_u:object_r:man_t,s0)
|
/opt/(.*)?/man(/.*)? context_template(system_u:object_r:man_t,s0)
|
||||||
|
|
||||||
|
/srv/([^/]*/)?rsync(/.*)? context_template(system_u:object_r:ftpd_anon_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
|
@ -25,6 +25,9 @@ files_type(fonts_t)
|
|||||||
type ftpd_anon_t; #, customizable;
|
type ftpd_anon_t; #, customizable;
|
||||||
files_type(ftpd_anon_t)
|
files_type(ftpd_anon_t)
|
||||||
|
|
||||||
|
type ftpd_anon_rw_t; #, customizable;
|
||||||
|
files_type(ftpd_anon_rw_t)
|
||||||
|
|
||||||
#
|
#
|
||||||
# type for /tmp/.ICE-unix
|
# type for /tmp/.ICE-unix
|
||||||
#
|
#
|
||||||
|
@ -181,8 +181,7 @@ userdom_use_all_user_fd(load_policy_t)
|
|||||||
# Newrole local policy
|
# Newrole local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow newrole_t self:capability { setuid setgid net_bind_service dac_override };
|
allow newrole_t self:capability { fowner setuid setgid dac_override };
|
||||||
|
|
||||||
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
allow newrole_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
|
||||||
allow newrole_t self:process setexec;
|
allow newrole_t self:process setexec;
|
||||||
allow newrole_t self:fd use;
|
allow newrole_t self:fd use;
|
||||||
|
@ -41,10 +41,12 @@ template(`base_user_template',`
|
|||||||
# type for contents of home directory
|
# type for contents of home directory
|
||||||
type $1_home_t, $1_file_type, home_type;
|
type $1_home_t, $1_file_type, home_type;
|
||||||
files_type($1_home_t)
|
files_type($1_home_t)
|
||||||
|
fs_associate_tmpfs($1_home_t)
|
||||||
|
|
||||||
# type of home directory
|
# type of home directory
|
||||||
type $1_home_dir_t, home_dir_type, home_type;
|
type $1_home_dir_t, home_dir_type, home_type;
|
||||||
files_type($1_home_dir_t)
|
files_type($1_home_dir_t)
|
||||||
|
fs_associate_tmpfs($1_home_dir_t)
|
||||||
|
|
||||||
type $1_tmp_t, $1_file_type;
|
type $1_tmp_t, $1_file_type;
|
||||||
files_tmp_file($1_tmp_t)
|
files_tmp_file($1_tmp_t)
|
||||||
|
@ -13,19 +13,14 @@ define(`shiftn',`ifelse($1,0,`shift($*)',`shiftn(decr($1),shift(shift($*)))')')
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# gen_user(username, role_set, mls_defaultlevel, mls_range)
|
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
|
||||||
#
|
#
|
||||||
define(`gen_user',`
|
define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
|
||||||
user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
|
|
||||||
')
|
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# gen_con(context,mls_sensitivity,[mcs_categories])
|
# gen_con(context,mls_sensitivity,[mcs_categories])
|
||||||
#
|
#
|
||||||
# MLS: Optionally put the sensitivity for the file
|
|
||||||
# MCS: Optionally put the categories of the file
|
|
||||||
#
|
|
||||||
define(`context_template',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
|
define(`context_template',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -4,11 +4,8 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# gen_user(username, role_set, mls_defaultlevel, mls_range)
|
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
|
||||||
#
|
#
|
||||||
define(`gen_user',`
|
|
||||||
user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
|
|
||||||
')
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# system_u is the user identity for system processes and objects.
|
# system_u is the user identity for system processes and objects.
|
||||||
@ -16,7 +13,7 @@ user $1 roles { $2 } ifdef(`enable_mls', `level $3 range $4');
|
|||||||
# and a user process should never be assigned the system user
|
# and a user process should never be assigned the system user
|
||||||
# identity.
|
# identity.
|
||||||
#
|
#
|
||||||
gen_user(system_u, system_r, s0, s0 - s9:c0.c127)
|
gen_user(system_u, system_r, s0, s0 - s9:c0.c127, c0.c127)
|
||||||
|
|
||||||
# Normal users should not be added to this file,
|
# Normal users should not be added to this file,
|
||||||
# but instead added to the users file.
|
# but instead added to the users file.
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# gen_user(username, role_set, mls_defaultlevel, mls_range)
|
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -29,11 +29,11 @@ gen_user(user_u, user_r, s0, s0 - s9:c0.c127)
|
|||||||
# not in the sysadm_r.
|
# not in the sysadm_r.
|
||||||
#
|
#
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127)
|
gen_user(root, user_r sysadm_r system_r, s0, s0 - s9:c0.c127, c0.c127)
|
||||||
',`
|
',`
|
||||||
ifdef(`direct_sysadm_daemon',`
|
ifdef(`direct_sysadm_daemon',`
|
||||||
gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127)
|
gen_user(root, sysadm_r staff_r system_r, s0, s0 - s9:c0.c127, c0.c127)
|
||||||
',`
|
',`
|
||||||
gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127)
|
gen_user(root, sysadm_r staff_r, s0, s0 - s9:c0.c127, c0.c127)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
@ -30,58 +30,52 @@ neverallow domain ~domain:process { transition dyntransition };
|
|||||||
# Verify that only the insmod_t and kernel_t domains
|
# Verify that only the insmod_t and kernel_t domains
|
||||||
# have the sys_module capability.
|
# have the sys_module capability.
|
||||||
#
|
#
|
||||||
neverallow {domain -unrestricted -insmod_t -kernel_t ifdef(`howl.te', `-howl_t') } self:capability sys_module;
|
neverallow {domain -privsysmod -unrestricted } self:capability sys_module;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify that executable types, the system dynamic loaders, and the
|
# Verify that executable types, the system dynamic loaders, and the
|
||||||
# system shared libraries can only be modified by administrators.
|
# system shared libraries can only be modified by administrators.
|
||||||
#
|
#
|
||||||
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin} { exec_type ld_so_t shlib_t }:file { write append unlink rename };
|
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { exec_type ld_so_t shlib_t }:file { write append unlink rename };
|
||||||
neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin } { exec_type ld_so_t shlib_t }:file relabelto;
|
neverallow {domain ifdef(`ldconfig.te', `-ldconfig_t') -change_context -admin -unrestricted } { exec_type ld_so_t shlib_t }:file relabelto;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify that only appropriate domains can access /etc/shadow
|
# Verify that only appropriate domains can access /etc/shadow
|
||||||
neverallow { domain -auth -auth_write } shadow_t:file ~getattr;
|
neverallow { domain -auth_bool -auth -auth_write -unrestricted } shadow_t:file ~getattr;
|
||||||
neverallow { domain -auth_write } shadow_t:file ~r_file_perms;
|
neverallow { domain -auth_write -unrestricted } shadow_t:file ~r_file_perms;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify that only appropriate domains can write to /etc (IE mess with
|
# Verify that only appropriate domains can write to /etc (IE mess with
|
||||||
# /etc/passwd)
|
# /etc/passwd)
|
||||||
neverallow {domain -auth_write -etc_writer } etc_t:dir ~rw_dir_perms;
|
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:dir ~rw_dir_perms;
|
||||||
neverallow {domain -auth_write -etc_writer } etc_t:lnk_file ~r_file_perms;
|
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:lnk_file ~r_file_perms;
|
||||||
neverallow {domain -auth_write -etc_writer } etc_t:file ~{ execute_no_trans rx_file_perms };
|
neverallow {domain -auth_write -etc_writer -unrestricted } etc_t:file ~{ execute_no_trans rx_file_perms };
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify that other system software can only be modified by administrators.
|
# Verify that other system software can only be modified by administrators.
|
||||||
#
|
#
|
||||||
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
|
neverallow {domain -kernel_t ifdef(`ldconfig.te', `-ldconfig_t') -admin -unrestricted } { lib_t bin_t sbin_t }:dir { add_name remove_name rename };
|
||||||
neverallow { domain -kernel_t -admin } { lib_t bin_t sbin_t }:file { write append unlink rename };
|
neverallow { domain -kernel_t -admin -unrestricted } { lib_t bin_t sbin_t }:file { write append unlink rename };
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify that only certain domains have access to the raw disk devices.
|
# Verify that only certain domains have access to the raw disk devices.
|
||||||
#
|
#
|
||||||
neverallow { domain -fs_domain } fixed_disk_device_t:devfile_class_set { read write append };
|
neverallow { domain -fs_domain -unrestricted } fixed_disk_device_t:devfile_class_set { read write append };
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify that only the X server and klogd have access to memory devices.
|
# Verify that only the X server and klogd have access to memory devices.
|
||||||
#
|
#
|
||||||
neverallow { domain -privmem } memory_device_t:devfile_class_set { read write append };
|
neverallow { domain -privmem -unrestricted } memory_device_t:devfile_class_set { read write append };
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify that only domains with the privlog attribute can actually syslog
|
# Verify that only domains with the privlog attribute can actually syslog
|
||||||
#
|
#
|
||||||
neverallow { domain -unrestricted -privlog } devlog_t:sock_file { read write append };
|
neverallow { domain -privlog -unrestricted } devlog_t:sock_file { read write append };
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify that /proc/kmsg is only accessible to klogd.
|
# Verify that /proc/kmsg is only accessible to klogd.
|
||||||
#
|
#
|
||||||
ifdef(`klogd.te', `
|
neverallow {domain -privkmsg -unrestricted } proc_kmsg_t:file ~stat_file_perms;
|
||||||
neverallow {domain -unrestricted -klogd_t } proc_kmsg_t:file ~stat_file_perms;
|
|
||||||
', `
|
|
||||||
ifdef(`syslogd.te', `
|
|
||||||
neverallow {domain -unrestricted -syslogd_t } proc_kmsg_t:file ~stat_file_perms;
|
|
||||||
')dnl end if syslogd
|
|
||||||
')dnl end if klogd
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify that /proc/kcore is inaccessible.
|
# Verify that /proc/kcore is inaccessible.
|
||||||
@ -93,14 +87,14 @@ neverallow { domain -unrestricted } proc_kcore_t:file ~stat_file_perms;
|
|||||||
# Verify that sysctl variables are only changeable
|
# Verify that sysctl variables are only changeable
|
||||||
# by initrc and administrators.
|
# by initrc and administrators.
|
||||||
#
|
#
|
||||||
neverallow { domain -initrc_t -admin -kernel_t -insmod_t } sysctl_t:file { write append };
|
neverallow { domain -initrc_t -admin -kernel_t -insmod_t -unrestricted } sysctl_t:file { write append };
|
||||||
neverallow { domain -initrc_t -admin } sysctl_fs_t:file { write append };
|
neverallow { domain -initrc_t -admin -unrestricted } sysctl_fs_t:file { write append };
|
||||||
neverallow { domain -admin -sysctl_kernel_writer } sysctl_kernel_t:file { write append };
|
neverallow { domain -admin -sysctl_kernel_writer -unrestricted } sysctl_kernel_t:file { write append };
|
||||||
neverallow { domain -initrc_t -admin -sysctl_net_writer } sysctl_net_t:file { write append };
|
neverallow { domain -initrc_t -admin -sysctl_net_writer -unrestricted } sysctl_net_t:file { write append };
|
||||||
neverallow { domain -initrc_t -admin } sysctl_net_unix_t:file { write append };
|
neverallow { domain -initrc_t -admin -unrestricted } sysctl_net_unix_t:file { write append };
|
||||||
neverallow { domain -initrc_t -admin } sysctl_vm_t:file { write append };
|
neverallow { domain -initrc_t -admin -unrestricted } sysctl_vm_t:file { write append };
|
||||||
neverallow { domain -initrc_t -admin } sysctl_dev_t:file { write append };
|
neverallow { domain -initrc_t -admin -unrestricted } sysctl_dev_t:file { write append };
|
||||||
neverallow { domain -initrc_t -admin } sysctl_modprobe_t:file { write append };
|
neverallow { domain -initrc_t -admin -unrestricted } sysctl_modprobe_t:file { write append };
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify that certain domains are limited to only being
|
# Verify that certain domains are limited to only being
|
||||||
@ -146,13 +140,13 @@ neverallow { passwd_t sysadm_passwd_t } ~{ bin_t sbin_t shell_exec_t ld_so_t }:f
|
|||||||
#
|
#
|
||||||
# Verify that only the admin domains and initrc_t have setenforce.
|
# Verify that only the admin domains and initrc_t have setenforce.
|
||||||
#
|
#
|
||||||
neverallow { domain -admin -initrc_t } security_t:security setenforce;
|
neverallow { domain -secadmin -initrc_t -unrestricted } security_t:security setenforce;
|
||||||
|
|
||||||
#
|
#
|
||||||
# Verify that only the kernel and load_policy_t have load_policy.
|
# Verify that only the kernel and load_policy_t have load_policy.
|
||||||
#
|
#
|
||||||
|
|
||||||
neverallow { domain -unrestricted -kernel_t -load_policy_t } security_t:security load_policy;
|
neverallow { domain -kernel_t -load_policy_t -unrestricted } security_t:security load_policy;
|
||||||
|
|
||||||
#
|
#
|
||||||
# for gross mistakes in policy
|
# for gross mistakes in policy
|
||||||
|
@ -141,6 +141,10 @@ attribute privhome;
|
|||||||
# to read /etc/shadow, and grants the permission.
|
# to read /etc/shadow, and grants the permission.
|
||||||
attribute auth;
|
attribute auth;
|
||||||
|
|
||||||
|
# The auth_bool attribute identifies every domain that can
|
||||||
|
# read /etc/shadow if its boolean is set;
|
||||||
|
attribute auth_bool;
|
||||||
|
|
||||||
# The auth_write attribute identifies every domain that can have write or
|
# The auth_write attribute identifies every domain that can have write or
|
||||||
# relabel access to /etc/shadow, but does not grant it.
|
# relabel access to /etc/shadow, but does not grant it.
|
||||||
attribute auth_write;
|
attribute auth_write;
|
||||||
@ -180,6 +184,12 @@ attribute sysctl_type;
|
|||||||
# XXX used in different assertions within assert.te.
|
# XXX used in different assertions within assert.te.
|
||||||
attribute admin;
|
attribute admin;
|
||||||
|
|
||||||
|
# The secadmin attribute identifies every security administrator domain.
|
||||||
|
# It is used in TE assertions when verifying that only administrator
|
||||||
|
# domains have certain permissions.
|
||||||
|
# This attribute is presently associated with sysadm_t and secadm_t
|
||||||
|
attribute secadmin;
|
||||||
|
|
||||||
# The userdomain attribute identifies every user domain, presently
|
# The userdomain attribute identifies every user domain, presently
|
||||||
# user_t and sysadm_t. It is used in TE rules that should be applied
|
# user_t and sysadm_t. It is used in TE rules that should be applied
|
||||||
# to all user domains.
|
# to all user domains.
|
||||||
@ -454,3 +464,18 @@ attribute transitionbool;
|
|||||||
# of the file system.
|
# of the file system.
|
||||||
attribute customizable;
|
attribute customizable;
|
||||||
|
|
||||||
|
##############################
|
||||||
|
# Attributes for polyinstatiation support:
|
||||||
|
#
|
||||||
|
|
||||||
|
# For labeling types that are to be polyinstantiated
|
||||||
|
attribute polydir;
|
||||||
|
|
||||||
|
# And for labeling the parent directories of those polyinstantiated directories
|
||||||
|
# This is necessary for remounting the original in the parent to give
|
||||||
|
# security aware apps access
|
||||||
|
attribute polyparent;
|
||||||
|
|
||||||
|
# And labeling for the member directories
|
||||||
|
attribute polymember;
|
||||||
|
|
||||||
|
@ -121,3 +121,16 @@ r_dir_file(lvm_t, selinux_config_t)
|
|||||||
|
|
||||||
# it has no reason to need this
|
# it has no reason to need this
|
||||||
dontaudit lvm_t proc_kcore_t:file getattr;
|
dontaudit lvm_t proc_kcore_t:file getattr;
|
||||||
|
|
||||||
|
# cluster LVM daemon
|
||||||
|
daemon_domain(clvmd)
|
||||||
|
can_network(clvmd_t)
|
||||||
|
can_ypbind(clvmd_t)
|
||||||
|
allow clvmd_t self:capability net_bind_service;
|
||||||
|
allow clvmd_t self:socket create_socket_perms;
|
||||||
|
allow clvmd_t self:fifo_file { read write };
|
||||||
|
allow clvmd_t self:file { getattr read };
|
||||||
|
allow clvmd_t self:unix_stream_socket { connectto create_stream_socket_perms };
|
||||||
|
allow clvmd_t reserved_port_t:tcp_socket name_bind;
|
||||||
|
dontaudit clvmd_t reserved_port_type:tcp_socket name_bind;
|
||||||
|
dontaudit clvmd_t selinux_config_t:dir search;
|
||||||
|
@ -8,7 +8,7 @@
|
|||||||
#
|
#
|
||||||
# Rules for the snmpd_t domain.
|
# Rules for the snmpd_t domain.
|
||||||
#
|
#
|
||||||
daemon_domain(snmpd)
|
daemon_domain(snmpd, `, nscd_client_domain')
|
||||||
|
|
||||||
#temp
|
#temp
|
||||||
allow snmpd_t var_t:dir getattr;
|
allow snmpd_t var_t:dir getattr;
|
||||||
@ -16,17 +16,14 @@ allow snmpd_t var_t:dir getattr;
|
|||||||
can_network_server(snmpd_t)
|
can_network_server(snmpd_t)
|
||||||
can_ypbind(snmpd_t)
|
can_ypbind(snmpd_t)
|
||||||
|
|
||||||
type snmp_port_t, port_type, reserved_port_type;
|
|
||||||
allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
|
allow snmpd_t snmp_port_t:{ udp_socket tcp_socket } name_bind;
|
||||||
|
|
||||||
etc_domain(snmpd)
|
etc_domain(snmpd)
|
||||||
typealias snmpd_etc_t alias etc_snmpd_t;
|
|
||||||
|
|
||||||
# for the .index file
|
# for the .index file
|
||||||
var_lib_domain(snmpd)
|
var_lib_domain(snmpd)
|
||||||
file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir)
|
file_type_auto_trans(snmpd_t, var_t, snmpd_var_lib_t, dir)
|
||||||
file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
|
file_type_auto_trans(snmpd_t, { usr_t var_t }, snmpd_var_lib_t, file)
|
||||||
typealias snmpd_var_lib_t alias snmpd_var_rw_t;
|
|
||||||
|
|
||||||
log_domain(snmpd)
|
log_domain(snmpd)
|
||||||
# for /usr/share/snmp/mibs
|
# for /usr/share/snmp/mibs
|
||||||
@ -39,13 +36,15 @@ allow snmpd_t self:unix_dgram_socket create_socket_perms;
|
|||||||
allow snmpd_t self:unix_stream_socket create_socket_perms;
|
allow snmpd_t self:unix_stream_socket create_socket_perms;
|
||||||
allow snmpd_t etc_t:lnk_file read;
|
allow snmpd_t etc_t:lnk_file read;
|
||||||
allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
|
allow snmpd_t { etc_t etc_runtime_t }:file r_file_perms;
|
||||||
allow snmpd_t urandom_device_t:chr_file read;
|
allow snmpd_t { random_device_t urandom_device_t }:chr_file { getattr read };
|
||||||
allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
|
allow snmpd_t self:capability { dac_override kill net_bind_service net_admin sys_nice sys_tty_config };
|
||||||
|
|
||||||
allow snmpd_t proc_t:dir search;
|
allow snmpd_t proc_t:dir search;
|
||||||
allow snmpd_t proc_t:file r_file_perms;
|
allow snmpd_t proc_t:file r_file_perms;
|
||||||
allow snmpd_t self:file { getattr read };
|
allow snmpd_t self:file { getattr read };
|
||||||
allow snmpd_t self:fifo_file { read write };
|
allow snmpd_t self:fifo_file rw_file_perms;
|
||||||
|
allow snmpd_t { bin_t sbin_t }:dir search;
|
||||||
|
can_exec(snmpd_t, { bin_t sbin_t shell_exec_t })
|
||||||
|
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
ifdef(`rpm.te', `
|
ifdef(`rpm.te', `
|
||||||
@ -61,6 +60,9 @@ dontaudit snmpd_t initrc_var_run_t:file write;
|
|||||||
dontaudit snmpd_t rpc_pipefs_t:dir getattr;
|
dontaudit snmpd_t rpc_pipefs_t:dir getattr;
|
||||||
allow snmpd_t rpc_pipefs_t:dir getattr;
|
allow snmpd_t rpc_pipefs_t:dir getattr;
|
||||||
read_sysctl(snmpd_t)
|
read_sysctl(snmpd_t)
|
||||||
|
allow snmpd_t sysctl_net_t:dir search;
|
||||||
|
allow snmpd_t sysctl_net_t:file { getattr read };
|
||||||
|
|
||||||
dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
|
dontaudit snmpd_t { removable_device_t fixed_disk_device_t }:blk_file { getattr ioctl read };
|
||||||
allow snmpd_t sysfs_t:dir { getattr read search };
|
allow snmpd_t sysfs_t:dir { getattr read search };
|
||||||
ifdef(`amanda.te', `
|
ifdef(`amanda.te', `
|
||||||
@ -75,6 +77,7 @@ allow snmpd_t var_lib_nfs_t:dir search;
|
|||||||
allow snmpd_t proc_net_t:dir search;
|
allow snmpd_t proc_net_t:dir search;
|
||||||
allow snmpd_t proc_net_t:file r_file_perms;
|
allow snmpd_t proc_net_t:file r_file_perms;
|
||||||
|
|
||||||
dontaudit snmpd_t domain:dir { getattr search };
|
allow snmpd_t domain:dir { getattr search };
|
||||||
|
allow snmpd_t domain:file { getattr read };
|
||||||
|
|
||||||
dontaudit snmpd_t selinux_config_t:dir search;
|
dontaudit snmpd_t selinux_config_t:dir search;
|
||||||
|
@ -9,3 +9,12 @@
|
|||||||
/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t
|
/var/log/krb5kdc\.log system_u:object_r:krb5kdc_log_t
|
||||||
/var/log/kadmind\.log system_u:object_r:kadmind_log_t
|
/var/log/kadmind\.log system_u:object_r:kadmind_log_t
|
||||||
/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t
|
/usr(/local)?/bin/ksu -- system_u:object_r:su_exec_t
|
||||||
|
|
||||||
|
# gentoo file locations
|
||||||
|
/usr/sbin/krb5kdc -- system_u:object_r:krb5kdc_exec_t
|
||||||
|
/usr/sbin/kadmind -- system_u:object_r:kadmind_exec_t
|
||||||
|
/etc/krb5kdc(/.*)? system_u:object_r:krb5kdc_conf_t
|
||||||
|
/etc/krb5kdc/principal.* system_u:object_r:krb5kdc_principal_t
|
||||||
|
/etc/krb5kdc/kadm5.keytab -- system_u:object_r:krb5_keytab_t
|
||||||
|
/var/log/kadmin.log -- system_u:object_r:kadmind_log_t
|
||||||
|
|
||||||
|
@ -13,8 +13,8 @@
|
|||||||
/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t
|
/var/lock/lvm(/.*)? system_u:object_r:lvm_lock_t
|
||||||
/dev/lvm -c system_u:object_r:fixed_disk_device_t
|
/dev/lvm -c system_u:object_r:fixed_disk_device_t
|
||||||
/dev/mapper/control -c system_u:object_r:lvm_control_t
|
/dev/mapper/control -c system_u:object_r:lvm_control_t
|
||||||
/lib/lvm-10(/.*) -- system_u:object_r:lvm_exec_t
|
/lib/lvm-10/.* -- system_u:object_r:lvm_exec_t
|
||||||
/lib/lvm-200(/.*) -- system_u:object_r:lvm_exec_t
|
/lib/lvm-200/.* -- system_u:object_r:lvm_exec_t
|
||||||
/sbin/e2fsadm -- system_u:object_r:lvm_exec_t
|
/sbin/e2fsadm -- system_u:object_r:lvm_exec_t
|
||||||
/sbin/lvchange -- system_u:object_r:lvm_exec_t
|
/sbin/lvchange -- system_u:object_r:lvm_exec_t
|
||||||
/sbin/lvcreate -- system_u:object_r:lvm_exec_t
|
/sbin/lvcreate -- system_u:object_r:lvm_exec_t
|
||||||
@ -64,3 +64,6 @@
|
|||||||
/sbin/pvremove -- system_u:object_r:lvm_exec_t
|
/sbin/pvremove -- system_u:object_r:lvm_exec_t
|
||||||
/sbin/pvs -- system_u:object_r:lvm_exec_t
|
/sbin/pvs -- system_u:object_r:lvm_exec_t
|
||||||
/sbin/vgs -- system_u:object_r:lvm_exec_t
|
/sbin/vgs -- system_u:object_r:lvm_exec_t
|
||||||
|
/sbin/multipathd -- system_u:object_r:lvm_exec_t
|
||||||
|
/var/cache/multipathd(/.*)? system_u:object_r:lvm_metadata_t
|
||||||
|
/usr/sbin/clvmd -- system_u:object_r:clvmd_exec_t
|
||||||
|
@ -1,2 +1,3 @@
|
|||||||
# rsync program
|
# rsync program
|
||||||
/usr/bin/rsync -- system_u:object_r:rsync_exec_t
|
/usr/bin/rsync -- system_u:object_r:rsync_exec_t
|
||||||
|
/srv/([^/]*/)?rsync(/.*)? system_u:object_r:ftpd_anon_t
|
||||||
|
@ -261,13 +261,13 @@ ifdef(`distro_suse', `
|
|||||||
# /opt
|
# /opt
|
||||||
#
|
#
|
||||||
/opt(/.*)? system_u:object_r:usr_t
|
/opt(/.*)? system_u:object_r:usr_t
|
||||||
/opt/.*/lib(64)?(/.*)? system_u:object_r:lib_t
|
/opt(/.*)?/lib(64)?(/.*)? system_u:object_r:lib_t
|
||||||
/opt/.*/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
|
/opt(/.*)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
|
||||||
/opt/.*/libexec(/.*)? system_u:object_r:bin_t
|
/opt(/.*)?/libexec(/.*)? system_u:object_r:bin_t
|
||||||
/opt/.*/bin(/.*)? system_u:object_r:bin_t
|
/opt(/.*)?/bin(/.*)? system_u:object_r:bin_t
|
||||||
/opt/.*/sbin(/.*)? system_u:object_r:sbin_t
|
/opt(/.*)?/sbin(/.*)? system_u:object_r:sbin_t
|
||||||
/opt/.*/man(/.*)? system_u:object_r:man_t
|
/opt(/.*)?/man(/.*)? system_u:object_r:man_t
|
||||||
/opt/.*/var/lib(64)?(/.*)? system_u:object_r:var_lib_t
|
/opt(/.*)?/var/lib(64)?(/.*)? system_u:object_r:var_lib_t
|
||||||
|
|
||||||
#
|
#
|
||||||
# /etc
|
# /etc
|
||||||
@ -359,7 +359,9 @@ ifdef(`distro_gentoo', `
|
|||||||
|
|
||||||
# nvidia share libraries
|
# nvidia share libraries
|
||||||
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
|
/usr/x11R6/lib/modules/extensions/libglx\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
|
||||||
|
/usr/lib(64)?/libGL(core)?/.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
|
||||||
/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t
|
/usr(/.*)?/nvidia/.*\.so(\..*)? -- system_u:object_r:texrel_shlib_t
|
||||||
|
/usr/lib(64)?(/.*)?/libnvidia.*\.so(\.[^/]*)* -- system_u:object_r:texrel_shlib_t
|
||||||
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t
|
/usr/X11R6/lib/libXvMCNVIDIA\.so.* -- system_u:object_r:texrel_shlib_t
|
||||||
|
|
||||||
# libGL
|
# libGL
|
||||||
@ -385,6 +387,10 @@ ifdef(`distro_gentoo', `
|
|||||||
/usr/local/etc(/.*)? system_u:object_r:etc_t
|
/usr/local/etc(/.*)? system_u:object_r:etc_t
|
||||||
/usr/local/src(/.*)? system_u:object_r:src_t
|
/usr/local/src(/.*)? system_u:object_r:src_t
|
||||||
/usr/local/man(/.*)? system_u:object_r:man_t
|
/usr/local/man(/.*)? system_u:object_r:man_t
|
||||||
|
/usr/local/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
|
||||||
|
/usr/(local/)?lib/wine/.*\.so -- system_u:object_r:texrel_shlib_t
|
||||||
|
/usr/(local/)?lib/libfame-.*\.so.* -- system_u:object_r:texrel_shlib_t
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# /usr/X11R6/man
|
# /usr/X11R6/man
|
||||||
@ -442,13 +448,22 @@ HOME_ROOT/\.journal <<none>>
|
|||||||
#
|
#
|
||||||
# Lost and found directories.
|
# Lost and found directories.
|
||||||
#
|
#
|
||||||
/lost\+found(/.*)? system_u:object_r:lost_found_t
|
/lost\+found -d system_u:object_r:lost_found_t
|
||||||
/usr/lost\+found(/.*)? system_u:object_r:lost_found_t
|
/lost\+found/.* <<none>>
|
||||||
/boot/lost\+found(/.*)? system_u:object_r:lost_found_t
|
/usr/lost\+found -d system_u:object_r:lost_found_t
|
||||||
HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
|
/usr/lost\+found/.* <<none>>
|
||||||
/var/lost\+found(/.*)? system_u:object_r:lost_found_t
|
/boot/lost\+found -d system_u:object_r:lost_found_t
|
||||||
/tmp/lost\+found(/.*)? system_u:object_r:lost_found_t
|
/boot/lost\+found/.* <<none>>
|
||||||
/usr/local/lost\+found(/.*)? system_u:object_r:lost_found_t
|
HOME_ROOT/lost\+found -d system_u:object_r:lost_found_t
|
||||||
|
HOME_ROOT/lost\+found/.* <<none>>
|
||||||
|
/var/lost\+found -d system_u:object_r:lost_found_t
|
||||||
|
/var/lost\+found/.* <<none>>
|
||||||
|
/tmp/lost\+found -d system_u:object_r:lost_found_t
|
||||||
|
/tmp/lost\+found/.* <<none>>
|
||||||
|
/var/tmp/lost\+found -d system_u:object_r:lost_found_t
|
||||||
|
/var/tmp/lost\+found/.* <<none>>
|
||||||
|
/usr/local/lost\+found -d system_u:object_r:lost_found_t
|
||||||
|
/usr/local/lost\+found/.* <<none>>
|
||||||
|
|
||||||
#
|
#
|
||||||
# system localization
|
# system localization
|
||||||
@ -458,6 +473,7 @@ HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
|
|||||||
/usr/lib/locale(/.*)? system_u:object_r:locale_t
|
/usr/lib/locale(/.*)? system_u:object_r:locale_t
|
||||||
/etc/localtime -- system_u:object_r:locale_t
|
/etc/localtime -- system_u:object_r:locale_t
|
||||||
/etc/localtime -l system_u:object_r:etc_t
|
/etc/localtime -l system_u:object_r:etc_t
|
||||||
|
/etc/pki(/.*)? system_u:object_r:cert_t
|
||||||
|
|
||||||
#
|
#
|
||||||
# Gnu Cash
|
# Gnu Cash
|
||||||
@ -465,6 +481,11 @@ HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
|
|||||||
/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t
|
/usr/share/gnucash/finance-quote-check -- system_u:object_r:bin_t
|
||||||
/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t
|
/usr/share/gnucash/finance-quote-helper -- system_u:object_r:bin_t
|
||||||
|
|
||||||
|
#
|
||||||
|
# Turboprint
|
||||||
|
#
|
||||||
|
/usr/share/turboprint/lib(/.*)? -- system_u:object_r:bin_t
|
||||||
|
|
||||||
#
|
#
|
||||||
# initrd mount point, only used during boot
|
# initrd mount point, only used during boot
|
||||||
#
|
#
|
||||||
@ -481,5 +502,12 @@ HOME_ROOT/lost\+found(/.*)? system_u:object_r:lost_found_t
|
|||||||
#
|
#
|
||||||
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t
|
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird -- system_u:object_r:bin_t
|
||||||
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
|
/usr/lib(64)?/[^/]*thunderbird[^/]*/thunderbird-bin -- system_u:object_r:bin_t
|
||||||
/usr/lib(64)?/[^/]*thunderbird[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
|
/usr/lib(64)?/[^/]*thunderbird[^/]*/open-browser\.sh -- system_u:object_r:bin_t
|
||||||
/usr/lib(64)?/[^/]*thunderbird[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
|
/usr/lib(64)?/[^/]*/run-mozilla\.sh -- system_u:object_r:bin_t
|
||||||
|
/usr/lib(64)?/[^/]*/mozilla-xremote-client -- system_u:object_r:bin_t
|
||||||
|
|
||||||
|
#
|
||||||
|
# /srv
|
||||||
|
#
|
||||||
|
/srv(/.*)? system_u:object_r:var_t
|
||||||
|
|
||||||
|
@ -17,30 +17,25 @@ define(`chkpwd_domain',`
|
|||||||
# Derived domain based on the calling user domain and the program.
|
# Derived domain based on the calling user domain and the program.
|
||||||
type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
|
type $1_chkpwd_t, domain, privlog, nscd_client_domain, auth;
|
||||||
|
|
||||||
|
role $1_r types $1_chkpwd_t;
|
||||||
|
|
||||||
# is_selinux_enabled
|
# is_selinux_enabled
|
||||||
allow $1_chkpwd_t proc_t:file read;
|
allow $1_chkpwd_t proc_t:file read;
|
||||||
|
|
||||||
can_getcon($1_chkpwd_t)
|
can_getcon($1_chkpwd_t)
|
||||||
can_ypbind($1_chkpwd_t)
|
authentication_domain($1_chkpwd_t)
|
||||||
can_kerberos($1_chkpwd_t)
|
|
||||||
can_ldap($1_chkpwd_t)
|
|
||||||
can_resolve($1_chkpwd_t)
|
|
||||||
# Transition from the user domain to this domain.
|
|
||||||
ifelse($1, system, `
|
ifelse($1, system, `
|
||||||
domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
|
domain_auto_trans(auth_chkpwd, chkpwd_exec_t, system_chkpwd_t)
|
||||||
role system_r types system_chkpwd_t;
|
|
||||||
dontaudit auth_chkpwd shadow_t:file { getattr read };
|
|
||||||
allow auth_chkpwd sbin_t:dir search;
|
allow auth_chkpwd sbin_t:dir search;
|
||||||
dontaudit $1_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
|
allow auth_chkpwd self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||||
can_ypbind(auth_chkpwd)
|
|
||||||
can_kerberos(auth_chkpwd)
|
dontaudit system_chkpwd_t { user_tty_type tty_device_t }:chr_file rw_file_perms;
|
||||||
can_ldap(auth_chkpwd)
|
authentication_domain(auth_chkpwd)
|
||||||
can_resolve(auth_chkpwd)
|
|
||||||
', `
|
', `
|
||||||
domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
|
domain_auto_trans($1_t, chkpwd_exec_t, $1_chkpwd_t)
|
||||||
allow $1_t sbin_t:dir search;
|
allow $1_t sbin_t:dir search;
|
||||||
|
allow $1_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||||
# The user role is authorized for this domain.
|
|
||||||
role $1_r types $1_chkpwd_t;
|
|
||||||
|
|
||||||
# Write to the user domain tty.
|
# Write to the user domain tty.
|
||||||
access_terminal($1_chkpwd_t, $1)
|
access_terminal($1_chkpwd_t, $1)
|
||||||
|
@ -67,6 +67,7 @@ role $1_r types $1_crond_t;
|
|||||||
|
|
||||||
# This domain is granted permissions common to most domains.
|
# This domain is granted permissions common to most domains.
|
||||||
can_network($1_crond_t)
|
can_network($1_crond_t)
|
||||||
|
allow $1_crond_t port_type:tcp_socket name_connect;
|
||||||
can_ypbind($1_crond_t)
|
can_ypbind($1_crond_t)
|
||||||
r_dir_file($1_crond_t, self)
|
r_dir_file($1_crond_t, self)
|
||||||
allow $1_crond_t self:fifo_file rw_file_perms;
|
allow $1_crond_t self:fifo_file rw_file_perms;
|
||||||
|
@ -41,8 +41,6 @@ read_locale($1_crontab_t)
|
|||||||
# Use capabilities dac_override is to create the file in the directory
|
# Use capabilities dac_override is to create the file in the directory
|
||||||
# under /tmp
|
# under /tmp
|
||||||
allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override };
|
allow $1_crontab_t $1_crontab_t:capability { setuid setgid chown dac_override };
|
||||||
dontaudit $1_crontab_t proc_t:dir search;
|
|
||||||
dontaudit $1_crontab_t selinux_config_t:dir search;
|
|
||||||
|
|
||||||
# Type for temporary files.
|
# Type for temporary files.
|
||||||
file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
|
file_type_auto_trans($1_crontab_t, tmp_t, $1_tmp_t, { dir file })
|
||||||
@ -65,6 +63,11 @@ dontaudit $1_crontab_t crond_t:process signal;
|
|||||||
|
|
||||||
# for the checks used by crontab -u
|
# for the checks used by crontab -u
|
||||||
dontaudit $1_crontab_t security_t:dir search;
|
dontaudit $1_crontab_t security_t:dir search;
|
||||||
|
allow $1_crontab_t proc_t:dir search;
|
||||||
|
allow $1_crontab_t proc_t:{ file lnk_file } { getattr read };
|
||||||
|
allow $1_crontab_t selinux_config_t:dir search;
|
||||||
|
allow $1_crontab_t selinux_config_t:file { getattr read };
|
||||||
|
dontaudit $1_crontab_t self:dir search;
|
||||||
|
|
||||||
# crontab signals crond by updating the mtime on the spooldir
|
# crontab signals crond by updating the mtime on the spooldir
|
||||||
allow $1_crontab_t cron_spool_t:dir setattr;
|
allow $1_crontab_t cron_spool_t:dir setattr;
|
||||||
|
@ -30,17 +30,20 @@ r_dir_file($1_dbusd_t, etc_dbusd_t)
|
|||||||
tmp_domain($1_dbusd)
|
tmp_domain($1_dbusd)
|
||||||
allow $1_dbusd_t self:process fork;
|
allow $1_dbusd_t self:process fork;
|
||||||
ifdef(`xdm.te', `
|
ifdef(`xdm.te', `
|
||||||
allow $1_dbusd_t xdm_t:fd use;
|
can_pipe_xdm($1_dbusd_t)
|
||||||
allow $1_dbusd_t xdm_t:fifo_file write;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
|
allow $1_dbusd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
|
allow $1_dbusd_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
|
||||||
allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
|
allow $1_dbusd_t urandom_device_t:chr_file { getattr read };
|
||||||
allow $1_dbusd_t self:file { getattr read };
|
allow $1_dbusd_t self:file { getattr read write };
|
||||||
allow $1_dbusd_t proc_t:file read;
|
allow $1_dbusd_t proc_t:file read;
|
||||||
|
|
||||||
|
can_getsecurity($1_dbusd_t)
|
||||||
|
r_dir_file($1_dbusd_t, default_context_t)
|
||||||
|
allow system_dbusd_t self:netlink_selinux_socket create_socket_perms;
|
||||||
|
|
||||||
ifdef(`pamconsole.te', `
|
ifdef(`pamconsole.te', `
|
||||||
r_dir_file($1_dbusd_t, pam_var_console_t)
|
r_dir_file($1_dbusd_t, pam_var_console_t)
|
||||||
')
|
')
|
||||||
|
@ -22,7 +22,6 @@ domain_auto_trans($1_t, gpg_agent_exec_t, $1_gpg_agent_t)
|
|||||||
role $1_r types $1_gpg_agent_t;
|
role $1_r types $1_gpg_agent_t;
|
||||||
|
|
||||||
allow $1_gpg_agent_t privfd:fd use;
|
allow $1_gpg_agent_t privfd:fd use;
|
||||||
allow $1_gpg_agent_t xdm_t:fd use;
|
|
||||||
|
|
||||||
# Write to the user domain tty.
|
# Write to the user domain tty.
|
||||||
access_terminal($1_gpg_agent_t, $1)
|
access_terminal($1_gpg_agent_t, $1)
|
||||||
@ -86,10 +85,9 @@ ifdef(`xdm.te', `
|
|||||||
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
|
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:dir search;
|
||||||
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
|
allow $1_gpg_pinentry_t xdm_xserver_tmp_t:sock_file { read write };
|
||||||
can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
|
can_unix_connect($1_gpg_pinentry_t, xdm_xserver_t)
|
||||||
allow $1_gpg_pinentry_t xdm_t:fd use;
|
|
||||||
')dnl end ig xdm.te
|
')dnl end ig xdm.te
|
||||||
|
|
||||||
r_dir_file($1_gpg_pinentry_t, fonts_t)
|
read_fonts($1_gpg_pinentry_t, $1)
|
||||||
# read kde font cache
|
# read kde font cache
|
||||||
allow $1_gpg_pinentry_t usr_t:file { getattr read };
|
allow $1_gpg_pinentry_t usr_t:file { getattr read };
|
||||||
|
|
||||||
|
@ -23,27 +23,15 @@ type $1_gpg_secret_t, file_type, $1_file_type, sysadmfile;
|
|||||||
|
|
||||||
# Transition from the user domain to the derived domain.
|
# Transition from the user domain to the derived domain.
|
||||||
domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
|
domain_auto_trans($1_t, gpg_exec_t, $1_gpg_t)
|
||||||
|
role $1_r types $1_gpg_t;
|
||||||
|
|
||||||
can_network($1_gpg_t)
|
can_network($1_gpg_t)
|
||||||
|
allow $1_gpg_t port_type:tcp_socket name_connect;
|
||||||
can_ypbind($1_gpg_t)
|
can_ypbind($1_gpg_t)
|
||||||
|
|
||||||
# for a bug in kmail
|
# for a bug in kmail
|
||||||
dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };
|
dontaudit $1_gpg_t $1_t:unix_stream_socket { getattr read write };
|
||||||
|
|
||||||
# The user role is authorized for this domain.
|
|
||||||
role $1_r types $1_gpg_t;
|
|
||||||
|
|
||||||
# Legacy
|
|
||||||
if (allow_gpg_execstack) {
|
|
||||||
legacy_domain($1_gpg)
|
|
||||||
allow $1_gpg_t locale_t:file execute;
|
|
||||||
|
|
||||||
# Not quite sure why this is needed...
|
|
||||||
allow $1_gpg_t gpg_exec_t:file execmod;
|
|
||||||
}
|
|
||||||
|
|
||||||
allow $1_t $1_gpg_secret_t:file getattr;
|
|
||||||
|
|
||||||
allow $1_gpg_t device_t:dir r_dir_perms;
|
allow $1_gpg_t device_t:dir r_dir_perms;
|
||||||
allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;
|
allow $1_gpg_t { random_device_t urandom_device_t }:chr_file r_file_perms;
|
||||||
|
|
||||||
@ -60,45 +48,28 @@ allow $1_gpg_t { privfd $1_t }:fd use;
|
|||||||
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
|
allow { $1_t $1_gpg_t } $1_gpg_t:process signal;
|
||||||
|
|
||||||
# setrlimit is for ulimit -c 0
|
# setrlimit is for ulimit -c 0
|
||||||
allow $1_gpg_t self:process { setrlimit setcap };
|
allow $1_gpg_t self:process { setrlimit setcap setpgid };
|
||||||
|
|
||||||
# allow ps to show gpg
|
# allow ps to show gpg
|
||||||
can_ps($1_t, $1_gpg_t)
|
can_ps($1_t, $1_gpg_t)
|
||||||
|
|
||||||
uses_shlib($1_gpg_t)
|
uses_shlib($1_gpg_t)
|
||||||
|
|
||||||
# should not need read access...
|
# Access .gnupg
|
||||||
allow $1_gpg_t home_root_t:dir { read search };
|
|
||||||
|
|
||||||
# use $1_gpg_secret_t for files it creates
|
|
||||||
# NB we are doing the type transition for directory creation only!
|
|
||||||
# so ~/.gnupg will be of $1_gpg_secret_t, then files created under it such as
|
|
||||||
# secring.gpg will be of $1_gpg_secret_t too. But when you use gpg to decrypt
|
|
||||||
# a file and write output to your home directory it will use user_home_t.
|
|
||||||
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_gpg_secret_t, dir)
|
|
||||||
rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)
|
rw_dir_create_file($1_gpg_t, $1_gpg_secret_t)
|
||||||
|
|
||||||
file_type_auto_trans($1_gpg_t, $1_home_dir_t, $1_home_t, file)
|
# Read content to encrypt/decrypt/sign
|
||||||
create_dir_file($1_gpg_t, $1_home_t)
|
read_content($1_gpg_t, $1)
|
||||||
|
|
||||||
# allow the usual access to /tmp
|
# Write content to encrypt/decrypt/sign
|
||||||
file_type_auto_trans($1_gpg_t, tmp_t, $1_tmp_t)
|
write_trusted($1_gpg_t, $1)
|
||||||
|
|
||||||
if (use_nfs_home_dirs) {
|
|
||||||
create_dir_file($1_gpg_t, nfs_t)
|
|
||||||
}
|
|
||||||
if (use_samba_home_dirs) {
|
|
||||||
create_dir_file($1_gpg_t, cifs_t)
|
|
||||||
}
|
|
||||||
|
|
||||||
allow $1_gpg_t self:capability { ipc_lock setuid };
|
allow $1_gpg_t self:capability { ipc_lock setuid };
|
||||||
rw_dir_create_file($1_gpg_t, $1_file_type)
|
|
||||||
|
|
||||||
allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
|
allow $1_gpg_t { etc_t usr_t }:dir r_dir_perms;
|
||||||
allow $1_gpg_t fs_t:filesystem getattr;
|
allow $1_gpg_t fs_t:filesystem getattr;
|
||||||
allow $1_gpg_t usr_t:file r_file_perms;
|
allow $1_gpg_t usr_t:file r_file_perms;
|
||||||
read_locale($1_gpg_t)
|
read_locale($1_gpg_t)
|
||||||
allow $1_t $1_gpg_secret_t:dir rw_dir_perms;
|
|
||||||
|
|
||||||
dontaudit $1_gpg_t var_t:dir search;
|
dontaudit $1_gpg_t var_t:dir search;
|
||||||
|
|
||||||
@ -130,6 +101,7 @@ allow $1_gpg_helper_t $1_t:fd use;
|
|||||||
allow $1_gpg_helper_t $1_t:fifo_file write;
|
allow $1_gpg_helper_t $1_t:fifo_file write;
|
||||||
# get keys from the network
|
# get keys from the network
|
||||||
can_network_client($1_gpg_helper_t)
|
can_network_client($1_gpg_helper_t)
|
||||||
|
allow $1_gpg_helper_t port_type:tcp_socket name_connect;
|
||||||
allow $1_gpg_helper_t etc_t:file { getattr read };
|
allow $1_gpg_helper_t etc_t:file { getattr read };
|
||||||
allow $1_gpg_helper_t urandom_device_t:chr_file read;
|
allow $1_gpg_helper_t urandom_device_t:chr_file read;
|
||||||
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
|
allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
@ -137,8 +109,7 @@ allow $1_gpg_helper_t self:unix_stream_socket create_stream_socket_perms;
|
|||||||
dontaudit $1_gpg_helper_t var_t:dir search;
|
dontaudit $1_gpg_helper_t var_t:dir search;
|
||||||
|
|
||||||
ifdef(`xdm.te', `
|
ifdef(`xdm.te', `
|
||||||
dontaudit $1_gpg_t xdm_t:fd use;
|
can_pipe_xdm($1_gpg_t)
|
||||||
dontaudit $1_gpg_t xdm_t:fifo_file read;
|
|
||||||
')
|
')
|
||||||
|
|
||||||
')dnl end gpg_domain definition
|
')dnl end gpg_domain definition
|
||||||
|
@ -56,7 +56,6 @@ allow $1_t self:dir search;
|
|||||||
allow $1_t self:{ lnk_file file } { getattr read };
|
allow $1_t self:{ lnk_file file } { getattr read };
|
||||||
can_kerberos($1_t)
|
can_kerberos($1_t)
|
||||||
allow $1_t urandom_device_t:chr_file r_file_perms;
|
allow $1_t urandom_device_t:chr_file r_file_perms;
|
||||||
type $1_port_t, port_type, reserved_port_type;
|
|
||||||
# Use sockets inherited from inetd.
|
# Use sockets inherited from inetd.
|
||||||
ifelse($2, `', `
|
ifelse($2, `', `
|
||||||
allow inetd_t $1_port_t:udp_socket name_bind;
|
allow inetd_t $1_port_t:udp_socket name_bind;
|
||||||
|
@ -2,6 +2,7 @@ define(`can_kerberos',`
|
|||||||
ifdef(`kerberos.te',`
|
ifdef(`kerberos.te',`
|
||||||
if (allow_kerberos) {
|
if (allow_kerberos) {
|
||||||
can_network_client($1, `kerberos_port_t')
|
can_network_client($1, `kerberos_port_t')
|
||||||
|
allow $1 kerberos_port_t:tcp_socket name_connect;
|
||||||
can_resolve($1)
|
can_resolve($1)
|
||||||
}
|
}
|
||||||
') dnl kerberos.te
|
') dnl kerberos.te
|
||||||
|
@ -34,6 +34,7 @@ role $1_r types $1_mail_t;
|
|||||||
|
|
||||||
uses_shlib($1_mail_t)
|
uses_shlib($1_mail_t)
|
||||||
can_network_client_tcp($1_mail_t)
|
can_network_client_tcp($1_mail_t)
|
||||||
|
allow $1_mail_t port_type:tcp_socket name_connect;
|
||||||
can_resolve($1_mail_t)
|
can_resolve($1_mail_t)
|
||||||
can_ypbind($1_mail_t)
|
can_ypbind($1_mail_t)
|
||||||
allow $1_mail_t self:unix_dgram_socket create_socket_perms;
|
allow $1_mail_t self:unix_dgram_socket create_socket_perms;
|
||||||
|
@ -49,7 +49,7 @@ can_setexec($1_t)
|
|||||||
allow $1_t autofs_t:dir search;
|
allow $1_t autofs_t:dir search;
|
||||||
|
|
||||||
# Use capabilities.
|
# Use capabilities.
|
||||||
allow $1_t self:capability { setuid setgid net_bind_service dac_override };
|
allow $1_t self:capability { fowner setuid setgid net_bind_service dac_override };
|
||||||
|
|
||||||
# Read the devpts root directory.
|
# Read the devpts root directory.
|
||||||
allow $1_t devpts_t:dir r_dir_perms;
|
allow $1_t devpts_t:dir r_dir_perms;
|
||||||
@ -60,8 +60,7 @@ r_dir_file($1_t, selinux_config_t)
|
|||||||
allow $1_t etc_t:file r_file_perms;
|
allow $1_t etc_t:file r_file_perms;
|
||||||
|
|
||||||
# Read /var.
|
# Read /var.
|
||||||
allow $1_t var_t:dir r_dir_perms;
|
r_dir_file($1_t, var_t)
|
||||||
allow $1_t var_t:notdevfile_class_set r_file_perms;
|
|
||||||
|
|
||||||
# Read /dev directories and any symbolic links.
|
# Read /dev directories and any symbolic links.
|
||||||
allow $1_t device_t:dir r_dir_perms;
|
allow $1_t device_t:dir r_dir_perms;
|
||||||
|
@ -49,6 +49,7 @@ read_locale($1_ssh_agent_t)
|
|||||||
allow $1_ssh_agent_t proc_t:dir search;
|
allow $1_ssh_agent_t proc_t:dir search;
|
||||||
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
|
dontaudit $1_ssh_agent_t proc_t:{ lnk_file file } { getattr read };
|
||||||
dontaudit $1_ssh_agent_t selinux_config_t:dir search;
|
dontaudit $1_ssh_agent_t selinux_config_t:dir search;
|
||||||
|
dontaudit $1_ssh_agent_t selinux_config_t:file { read getattr };
|
||||||
read_sysctl($1_ssh_agent_t)
|
read_sysctl($1_ssh_agent_t)
|
||||||
|
|
||||||
# Access the ssh temporary files. Should we have an own type here
|
# Access the ssh temporary files. Should we have an own type here
|
||||||
@ -62,7 +63,7 @@ allow $1_ssh_agent_t self:process { fork sigchld setrlimit };
|
|||||||
allow $1_ssh_agent_t self:capability setgid;
|
allow $1_ssh_agent_t self:capability setgid;
|
||||||
|
|
||||||
# access the random devices
|
# access the random devices
|
||||||
allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file read;
|
allow $1_ssh_agent_t { random_device_t urandom_device_t }:chr_file { getattr read };
|
||||||
|
|
||||||
# for ssh-add
|
# for ssh-add
|
||||||
can_unix_connect($1_t, $1_ssh_agent_t)
|
can_unix_connect($1_t, $1_ssh_agent_t)
|
||||||
@ -89,8 +90,7 @@ allow $1_ssh_t $1_t:unix_stream_socket connectto;
|
|||||||
allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
|
allow $1_ssh_t $1_ssh_agent_t:unix_stream_socket connectto;
|
||||||
|
|
||||||
ifdef(`xdm.te', `
|
ifdef(`xdm.te', `
|
||||||
allow $1_ssh_agent_t xdm_t:fd use;
|
can_pipe_xdm($1_ssh_agent_t)
|
||||||
allow $1_ssh_agent_t xdm_t:fifo_file { read write };
|
|
||||||
|
|
||||||
# kdm: sigchld
|
# kdm: sigchld
|
||||||
allow $1_ssh_agent_t xdm_t:process sigchld;
|
allow $1_ssh_agent_t xdm_t:process sigchld;
|
||||||
|
@ -53,8 +53,7 @@ allow $1_ssh_t fs_type:filesystem getattr;
|
|||||||
base_file_read_access($1_ssh_t)
|
base_file_read_access($1_ssh_t)
|
||||||
|
|
||||||
# Read /var.
|
# Read /var.
|
||||||
allow $1_ssh_t var_t:dir r_dir_perms;
|
r_dir_file($1_ssh_t, var_t)
|
||||||
allow $1_ssh_t var_t:notdevfile_class_set r_file_perms;
|
|
||||||
|
|
||||||
# Read /var/run, /var/log.
|
# Read /var/run, /var/log.
|
||||||
allow $1_ssh_t var_run_t:dir r_dir_perms;
|
allow $1_ssh_t var_run_t:dir r_dir_perms;
|
||||||
@ -63,8 +62,7 @@ allow $1_ssh_t var_log_t:dir r_dir_perms;
|
|||||||
allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms;
|
allow $1_ssh_t var_log_t:{ file lnk_file } r_file_perms;
|
||||||
|
|
||||||
# Read /etc.
|
# Read /etc.
|
||||||
allow $1_ssh_t etc_t:dir r_dir_perms;
|
r_dir_file($1_ssh_t, etc_t)
|
||||||
allow $1_ssh_t etc_t:notdevfile_class_set r_file_perms;
|
|
||||||
allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms;
|
allow $1_ssh_t etc_runtime_t:{ file lnk_file } r_file_perms;
|
||||||
|
|
||||||
# Read /dev directories and any symbolic links.
|
# Read /dev directories and any symbolic links.
|
||||||
@ -80,6 +78,7 @@ allow $1_ssh_t { null_device_t zero_device_t }:chr_file rw_file_perms;
|
|||||||
# Grant permissions needed to create TCP and UDP sockets and
|
# Grant permissions needed to create TCP and UDP sockets and
|
||||||
# to access the network.
|
# to access the network.
|
||||||
can_network_client_tcp($1_ssh_t)
|
can_network_client_tcp($1_ssh_t)
|
||||||
|
allow $1_ssh_t ssh_port_t:tcp_socket name_connect;
|
||||||
can_resolve($1_ssh_t)
|
can_resolve($1_ssh_t)
|
||||||
can_ypbind($1_ssh_t)
|
can_ypbind($1_ssh_t)
|
||||||
can_kerberos($1_ssh_t)
|
can_kerberos($1_ssh_t)
|
||||||
@ -130,18 +129,8 @@ allow $1_t $1_ssh_t:process signal;
|
|||||||
# allow ps to show ssh
|
# allow ps to show ssh
|
||||||
can_ps($1_t, $1_ssh_t)
|
can_ps($1_t, $1_ssh_t)
|
||||||
|
|
||||||
ifdef(`xserver.te', `
|
# Connect to X server
|
||||||
# Communicate with the X server.
|
x_client_domain($1_ssh, $1)
|
||||||
ifdef(`startx.te', `
|
|
||||||
can_unix_connect($1_ssh_t, $1_xserver_t)
|
|
||||||
allow $1_ssh_t $1_xserver_tmp_t:sock_file rw_file_perms;
|
|
||||||
allow $1_ssh_t $1_xserver_tmp_t:dir search;
|
|
||||||
')dnl end if startx
|
|
||||||
ifdef(`xdm.te', `
|
|
||||||
allow $1_ssh_t { xdm_xserver_tmp_t xdm_tmp_t }:dir search;
|
|
||||||
allow $1_ssh_t { xdm_tmp_t }:sock_file write;
|
|
||||||
')
|
|
||||||
')dnl end if xserver
|
|
||||||
|
|
||||||
ifdef(`ssh-agent.te', `
|
ifdef(`ssh-agent.te', `
|
||||||
ssh_agent_domain($1)
|
ssh_agent_domain($1)
|
||||||
@ -152,18 +141,26 @@ ssh_agent_domain($1)
|
|||||||
allow $1_ssh_t mnt_t:dir search;
|
allow $1_ssh_t mnt_t:dir search;
|
||||||
r_dir_file($1_ssh_t, removable_t)
|
r_dir_file($1_ssh_t, removable_t)
|
||||||
|
|
||||||
ifdef(`xdm.te', `
|
type $1_ssh_keysign_t, domain, nscd_client_domain;
|
||||||
# should be able to remove these two later
|
role $1_r types $1_ssh_keysign_t;
|
||||||
allow $1_ssh_t xdm_xserver_tmp_t:sock_file { read write };
|
|
||||||
allow $1_ssh_t xdm_xserver_tmp_t:dir search;
|
|
||||||
allow $1_ssh_t xdm_xserver_t:unix_stream_socket connectto;
|
|
||||||
allow $1_ssh_t xdm_xserver_t:shm r_shm_perms;
|
|
||||||
allow $1_ssh_t xdm_xserver_t:fd use;
|
|
||||||
allow $1_ssh_t xdm_xserver_tmpfs_t:file read;
|
|
||||||
allow $1_ssh_t xdm_t:fd use;
|
|
||||||
')dnl end if xdm.te
|
|
||||||
')dnl end macro definition
|
|
||||||
|
|
||||||
|
if (allow_ssh_keysign) {
|
||||||
|
domain_auto_trans($1_ssh_t, ssh_keysign_exec_t, $1_ssh_keysign_t)
|
||||||
|
allow $1_ssh_keysign_t sshd_key_t:file { getattr read };
|
||||||
|
allow $1_ssh_keysign_t self:capability { setgid setuid };
|
||||||
|
allow $1_ssh_keysign_t urandom_device_t:chr_file r_file_perms;
|
||||||
|
uses_shlib($1_ssh_keysign_t)
|
||||||
|
dontaudit $1_ssh_keysign_t selinux_config_t:dir search;
|
||||||
|
dontaudit $1_ssh_keysign_t proc_t:dir search;
|
||||||
|
dontaudit $1_ssh_keysign_t proc_t:{ lnk_file file } { getattr read };
|
||||||
|
allow $1_ssh_keysign_t usr_t:dir search;
|
||||||
|
allow $1_ssh_keysign_t etc_t:file { getattr read };
|
||||||
|
allow $1_ssh_keysign_t self:dir search;
|
||||||
|
allow $1_ssh_keysign_t self:file { getattr read };
|
||||||
|
allow $1_ssh_keysign_t self:unix_stream_socket create_socket_perms;
|
||||||
|
}
|
||||||
|
|
||||||
|
')dnl end macro definition
|
||||||
', `
|
', `
|
||||||
|
|
||||||
define(`ssh_domain',`')
|
define(`ssh_domain',`')
|
||||||
|
@ -24,6 +24,13 @@ ifdef(`su.te', `
|
|||||||
define(`su_restricted_domain', `
|
define(`su_restricted_domain', `
|
||||||
# Derived domain based on the calling user domain and the program.
|
# Derived domain based on the calling user domain and the program.
|
||||||
type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
|
type $1_su_t, domain, privlog, privrole, privuser, privowner, privfd, nscd_client_domain;
|
||||||
|
ifdef(`support_polyinstantiation', `
|
||||||
|
typeattribute $1_su_t mlsfileread;
|
||||||
|
typeattribute $1_su_t mlsfilewrite;
|
||||||
|
typeattribute $1_su_t mlsfileupgrade;
|
||||||
|
typeattribute $1_su_t mlsfiledowngrade;
|
||||||
|
typeattribute $1_su_t mlsprocsetsl;
|
||||||
|
')
|
||||||
|
|
||||||
# for SSP
|
# for SSP
|
||||||
allow $1_su_t urandom_device_t:chr_file { getattr read };
|
allow $1_su_t urandom_device_t:chr_file { getattr read };
|
||||||
@ -32,7 +39,6 @@ allow $1_su_t urandom_device_t:chr_file { getattr read };
|
|||||||
domain_auto_trans($1_t, su_exec_t, $1_su_t)
|
domain_auto_trans($1_t, su_exec_t, $1_su_t)
|
||||||
|
|
||||||
allow $1_su_t sbin_t:dir search;
|
allow $1_su_t sbin_t:dir search;
|
||||||
domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
|
|
||||||
|
|
||||||
uses_shlib($1_su_t)
|
uses_shlib($1_su_t)
|
||||||
allow $1_su_t etc_t:file { getattr read };
|
allow $1_su_t etc_t:file { getattr read };
|
||||||
@ -62,7 +68,7 @@ allow $1_su_t crond_t:fifo_file read;
|
|||||||
')
|
')
|
||||||
|
|
||||||
# Use capabilities.
|
# Use capabilities.
|
||||||
allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource };
|
allow $1_su_t self:capability { setuid setgid net_bind_service chown dac_override fowner sys_nice sys_resource audit_control };
|
||||||
dontaudit $1_su_t self:capability sys_tty_config;
|
dontaudit $1_su_t self:capability sys_tty_config;
|
||||||
#
|
#
|
||||||
# Caused by su - init scripts
|
# Caused by su - init scripts
|
||||||
@ -88,6 +94,13 @@ allow $1_su_t privfd:fd use;
|
|||||||
allow $1_su_t { var_t var_run_t }:dir search;
|
allow $1_su_t { var_t var_run_t }:dir search;
|
||||||
allow $1_su_t initrc_var_run_t:file rw_file_perms;
|
allow $1_su_t initrc_var_run_t:file rw_file_perms;
|
||||||
can_kerberos($1_su_t)
|
can_kerberos($1_su_t)
|
||||||
|
|
||||||
|
ifdef(`chkpwd.te', `
|
||||||
|
domain_auto_trans($1_su_t, chkpwd_exec_t, $2_chkpwd_t)
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1_su_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms };
|
||||||
|
|
||||||
') dnl end su_restricted_domain
|
') dnl end su_restricted_domain
|
||||||
|
|
||||||
define(`su_mini_domain', `
|
define(`su_mini_domain', `
|
||||||
@ -109,10 +122,6 @@ allow $1_su_t { ttyfile ptyfile }:chr_file { read write };
|
|||||||
|
|
||||||
define(`su_domain', `
|
define(`su_domain', `
|
||||||
su_mini_domain($1)
|
su_mini_domain($1)
|
||||||
ifdef(`chkpwd.te', `
|
|
||||||
# Run chkpwd.
|
|
||||||
can_exec($1_su_t, chkpwd_exec_t)
|
|
||||||
')
|
|
||||||
|
|
||||||
# Inherit and use descriptors from gnome-pty-helper.
|
# Inherit and use descriptors from gnome-pty-helper.
|
||||||
ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
|
ifdef(`gnome-pty-helper.te', `allow $1_su_t $1_gph_t:fd use;')
|
||||||
@ -139,6 +148,16 @@ if (use_samba_home_dirs) {
|
|||||||
allow $1_su_t cifs_t:dir search;
|
allow $1_su_t cifs_t:dir search;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ifdef(`support_polyinstantiation', `
|
||||||
|
# Su can polyinstantiate
|
||||||
|
polyinstantiater($1_su_t)
|
||||||
|
# Su has to unmount polyinstantiated directories (like home)
|
||||||
|
# that should not be polyinstantiated under the new user
|
||||||
|
allow $1_su_t fs_t:filesystem unmount;
|
||||||
|
# Su needs additional permission to mount over a previous mount
|
||||||
|
allow $1_su_t polymember:dir mounton;
|
||||||
|
')
|
||||||
|
|
||||||
# Modify .Xauthority file (via xauth program).
|
# Modify .Xauthority file (via xauth program).
|
||||||
ifdef(`xauth.te', `
|
ifdef(`xauth.te', `
|
||||||
file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
|
file_type_auto_trans($1_su_t, staff_home_dir_t, staff_xauth_home_t, file)
|
||||||
|
212
strict/mcs
Normal file
212
strict/mcs
Normal file
@ -0,0 +1,212 @@
|
|||||||
|
#
|
||||||
|
# Define sensitivities
|
||||||
|
#
|
||||||
|
# Each sensitivity has a name and zero or more aliases.
|
||||||
|
#
|
||||||
|
# MCS is single-sensitivity.
|
||||||
|
#
|
||||||
|
sensitivity s0;
|
||||||
|
|
||||||
|
#
|
||||||
|
# Define the ordering of the sensitivity levels (least to greatest)
|
||||||
|
#
|
||||||
|
dominance { s0 }
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Define the categories
|
||||||
|
#
|
||||||
|
# Each category has a name and zero or more aliases.
|
||||||
|
#
|
||||||
|
category c0;
|
||||||
|
category c1;
|
||||||
|
category c2;
|
||||||
|
category c3;
|
||||||
|
category c4;
|
||||||
|
category c5;
|
||||||
|
category c6;
|
||||||
|
category c7;
|
||||||
|
category c8;
|
||||||
|
category c9;
|
||||||
|
category c10;
|
||||||
|
category c11;
|
||||||
|
category c12;
|
||||||
|
category c13;
|
||||||
|
category c14;
|
||||||
|
category c15;
|
||||||
|
category c16;
|
||||||
|
category c17;
|
||||||
|
category c18;
|
||||||
|
category c19;
|
||||||
|
category c20;
|
||||||
|
category c21;
|
||||||
|
category c22;
|
||||||
|
category c23;
|
||||||
|
category c24;
|
||||||
|
category c25;
|
||||||
|
category c26;
|
||||||
|
category c27;
|
||||||
|
category c28;
|
||||||
|
category c29;
|
||||||
|
category c30;
|
||||||
|
category c31;
|
||||||
|
category c32;
|
||||||
|
category c33;
|
||||||
|
category c34;
|
||||||
|
category c35;
|
||||||
|
category c36;
|
||||||
|
category c37;
|
||||||
|
category c38;
|
||||||
|
category c39;
|
||||||
|
category c40;
|
||||||
|
category c41;
|
||||||
|
category c42;
|
||||||
|
category c43;
|
||||||
|
category c44;
|
||||||
|
category c45;
|
||||||
|
category c46;
|
||||||
|
category c47;
|
||||||
|
category c48;
|
||||||
|
category c49;
|
||||||
|
category c50;
|
||||||
|
category c51;
|
||||||
|
category c52;
|
||||||
|
category c53;
|
||||||
|
category c54;
|
||||||
|
category c55;
|
||||||
|
category c56;
|
||||||
|
category c57;
|
||||||
|
category c58;
|
||||||
|
category c59;
|
||||||
|
category c60;
|
||||||
|
category c61;
|
||||||
|
category c62;
|
||||||
|
category c63;
|
||||||
|
category c64;
|
||||||
|
category c65;
|
||||||
|
category c66;
|
||||||
|
category c67;
|
||||||
|
category c68;
|
||||||
|
category c69;
|
||||||
|
category c70;
|
||||||
|
category c71;
|
||||||
|
category c72;
|
||||||
|
category c73;
|
||||||
|
category c74;
|
||||||
|
category c75;
|
||||||
|
category c76;
|
||||||
|
category c77;
|
||||||
|
category c78;
|
||||||
|
category c79;
|
||||||
|
category c80;
|
||||||
|
category c81;
|
||||||
|
category c82;
|
||||||
|
category c83;
|
||||||
|
category c84;
|
||||||
|
category c85;
|
||||||
|
category c86;
|
||||||
|
category c87;
|
||||||
|
category c88;
|
||||||
|
category c89;
|
||||||
|
category c90;
|
||||||
|
category c91;
|
||||||
|
category c92;
|
||||||
|
category c93;
|
||||||
|
category c94;
|
||||||
|
category c95;
|
||||||
|
category c96;
|
||||||
|
category c97;
|
||||||
|
category c98;
|
||||||
|
category c99;
|
||||||
|
category c100;
|
||||||
|
category c101;
|
||||||
|
category c102;
|
||||||
|
category c103;
|
||||||
|
category c104;
|
||||||
|
category c105;
|
||||||
|
category c106;
|
||||||
|
category c107;
|
||||||
|
category c108;
|
||||||
|
category c109;
|
||||||
|
category c110;
|
||||||
|
category c111;
|
||||||
|
category c112;
|
||||||
|
category c113;
|
||||||
|
category c114;
|
||||||
|
category c115;
|
||||||
|
category c116;
|
||||||
|
category c117;
|
||||||
|
category c118;
|
||||||
|
category c119;
|
||||||
|
category c120;
|
||||||
|
category c121;
|
||||||
|
category c122;
|
||||||
|
category c123;
|
||||||
|
category c124;
|
||||||
|
category c125;
|
||||||
|
category c126;
|
||||||
|
category c127;
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Each MCS level specifies a sensitivity and zero or more categories which may
|
||||||
|
# be associated with that sensitivity.
|
||||||
|
#
|
||||||
|
level s0:c0.c127;
|
||||||
|
|
||||||
|
#
|
||||||
|
# Define the MCS policy
|
||||||
|
#
|
||||||
|
# mlsconstrain class_set perm_set expression ;
|
||||||
|
#
|
||||||
|
# mlsvalidatetrans class_set expression ;
|
||||||
|
#
|
||||||
|
# expression : ( expression )
|
||||||
|
# | not expression
|
||||||
|
# | expression and expression
|
||||||
|
# | expression or expression
|
||||||
|
# | u1 op u2
|
||||||
|
# | r1 role_mls_op r2
|
||||||
|
# | t1 op t2
|
||||||
|
# | l1 role_mls_op l2
|
||||||
|
# | l1 role_mls_op h2
|
||||||
|
# | h1 role_mls_op l2
|
||||||
|
# | h1 role_mls_op h2
|
||||||
|
# | l1 role_mls_op h1
|
||||||
|
# | l2 role_mls_op h2
|
||||||
|
# | u1 op names
|
||||||
|
# | u2 op names
|
||||||
|
# | r1 op names
|
||||||
|
# | r2 op names
|
||||||
|
# | t1 op names
|
||||||
|
# | t2 op names
|
||||||
|
# | u3 op names (NOTE: this is only available for mlsvalidatetrans)
|
||||||
|
# | r3 op names (NOTE: this is only available for mlsvalidatetrans)
|
||||||
|
# | t3 op names (NOTE: this is only available for mlsvalidatetrans)
|
||||||
|
#
|
||||||
|
# op : == | !=
|
||||||
|
# role_mls_op : == | != | eq | dom | domby | incomp
|
||||||
|
#
|
||||||
|
# names : name | { name_list }
|
||||||
|
# name_list : name | name_list name
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# MCS policy for the file classes
|
||||||
|
#
|
||||||
|
# Constrain file access so that the high range of the process dominates
|
||||||
|
# the high range of the file. We use the high range of the process so
|
||||||
|
# that processes can always simply run at s0.
|
||||||
|
#
|
||||||
|
# Only files are constrained by MCS at this stage.
|
||||||
|
#
|
||||||
|
mlsconstrain file { read write setattr append unlink link rename
|
||||||
|
create ioctl lock execute } (h1 dom h2);
|
||||||
|
|
||||||
|
|
||||||
|
# XXX
|
||||||
|
#
|
||||||
|
# For some reason, we need to reference the mlsfileread attribute
|
||||||
|
# or we get a build error. Below is a dummy entry to do this.
|
||||||
|
mlsconstrain xextension query ( t1 == mlsfileread );
|
||||||
|
|
@ -276,7 +276,8 @@ allow { file_type device_type ttyfile } fs_t:filesystem associate;
|
|||||||
# Allow the pty to be associated with the file system.
|
# Allow the pty to be associated with the file system.
|
||||||
allow devpts_t self:filesystem associate;
|
allow devpts_t self:filesystem associate;
|
||||||
|
|
||||||
type tmpfs_t, file_type, sysadmfile, fs_type;
|
type tmpfs_t, file_type, mount_point, sysadmfile, fs_type;
|
||||||
|
allow { logfile tmpfs_t tmpfile home_type } tmpfs_t:filesystem associate;
|
||||||
allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
|
allow { tmpfs_t tmp_t } tmpfs_t:filesystem associate;
|
||||||
ifdef(`distro_redhat', `
|
ifdef(`distro_redhat', `
|
||||||
allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
|
allow { dev_fs ttyfile } { tmpfs_t tmp_t }:filesystem associate;
|
||||||
@ -332,6 +333,7 @@ allow file_type noexattrfile:filesystem associate;
|
|||||||
|
|
||||||
# Type for anonymous FTP data, used by ftp and rsync
|
# Type for anonymous FTP data, used by ftp and rsync
|
||||||
type ftpd_anon_t, file_type, sysadmfile, customizable;
|
type ftpd_anon_t, file_type, sysadmfile, customizable;
|
||||||
|
type ftpd_anon_rw_t, file_type, sysadmfile, customizable;
|
||||||
|
|
||||||
allow customizable self:filesystem associate;
|
allow customizable self:filesystem associate;
|
||||||
|
|
||||||
|
@ -12,32 +12,32 @@
|
|||||||
# the permissions in the security class. It is also
|
# the permissions in the security class. It is also
|
||||||
# applied to selinuxfs inodes.
|
# applied to selinuxfs inodes.
|
||||||
#
|
#
|
||||||
type security_t, fs_type;
|
type security_t, mount_point, fs_type, mlstrustedobject;
|
||||||
|
|
||||||
#
|
#
|
||||||
# policy_config_t is the type of /etc/security/selinux/*
|
# policy_config_t is the type of /etc/security/selinux/*
|
||||||
# the security server policy configuration.
|
# the security server policy configuration.
|
||||||
#
|
#
|
||||||
type policy_config_t, file_type;
|
type policy_config_t, file_type, secadmfile;
|
||||||
|
|
||||||
#
|
#
|
||||||
# policy_src_t is the type of the policy source
|
# policy_src_t is the type of the policy source
|
||||||
# files.
|
# files.
|
||||||
#
|
#
|
||||||
type policy_src_t, file_type, sysadmfile;
|
type policy_src_t, file_type, secadmfile;
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# default_context_t is the type applied to
|
# default_context_t is the type applied to
|
||||||
# /etc/selinux/*/contexts/*
|
# /etc/selinux/*/contexts/*
|
||||||
#
|
#
|
||||||
type default_context_t, file_type, sysadmfile, login_contexts;
|
type default_context_t, file_type, login_contexts, secadmfile;
|
||||||
|
|
||||||
#
|
#
|
||||||
# file_context_t is the type applied to
|
# file_context_t is the type applied to
|
||||||
# /etc/selinux/*/contexts/files
|
# /etc/selinux/*/contexts/files
|
||||||
#
|
#
|
||||||
type file_context_t, file_type, sysadmfile;
|
type file_context_t, file_type, secadmfile;
|
||||||
|
|
||||||
#
|
#
|
||||||
# no_access_t is the type for objects that should
|
# no_access_t is the type for objects that should
|
||||||
@ -49,6 +49,6 @@ type no_access_t, file_type, sysadmfile;
|
|||||||
# selinux_config_t is the type applied to
|
# selinux_config_t is the type applied to
|
||||||
# /etc/selinux/config
|
# /etc/selinux/config
|
||||||
#
|
#
|
||||||
type selinux_config_t, file_type, sysadmfile;
|
type selinux_config_t, file_type, secadmfile;
|
||||||
|
|
||||||
|
|
||||||
|
@ -41,10 +41,17 @@ user user_u roles { user_r };
|
|||||||
|
|
||||||
# The sysadm_r user also needs to be permitted system_r if we are to allow
|
# The sysadm_r user also needs to be permitted system_r if we are to allow
|
||||||
# direct execution of daemons
|
# direct execution of daemons
|
||||||
user root roles { sysadm_r staff_r ifdef(`direct_sysadm_daemon', `system_r') };
|
user root roles { sysadm_r staff_r secadm_r ifdef(`direct_sysadm_daemon', `system_r') };
|
||||||
|
|
||||||
# sample for administrative user
|
# sample for administrative user
|
||||||
#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
|
#user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
|
||||||
|
|
||||||
# sample for regular user
|
# sample for regular user
|
||||||
#user jdoe roles { user_r };
|
#user jdoe roles { user_r };
|
||||||
|
|
||||||
|
#
|
||||||
|
# The following users correspond to special Unix identities
|
||||||
|
#
|
||||||
|
ifdef(`nx_server.te', `
|
||||||
|
user nx roles nx_server_r;
|
||||||
|
')
|
||||||
|
@ -1,8 +1,8 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
DISTROS="redhat gentoo debian suse"
|
DISTROS="redhat gentoo debian suse"
|
||||||
STRICT_TYPES="strict strict-mls"
|
STRICT_TYPES="strict strict-mls strict-mcs"
|
||||||
TARG_TYPES="targeted targeted-mls"
|
TARG_TYPES="targeted targeted-mls targeted-mcs"
|
||||||
POLVER="`checkpolicy -V |cut -f 1 -d ' '`"
|
POLVER="`checkpolicy -V |cut -f 1 -d ' '`"
|
||||||
SETFILES="/usr/sbin/setfiles"
|
SETFILES="/usr/sbin/setfiles"
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user